Jibril运行时安全性 v2.4:对检测的反应
# Jibril 运行时安全 v2.4
## 可编程的 JavaScript 响应操作系统安全事件
我们刚刚发布了 Jibril v2.4,新增了“反应”系统,根本改变了运行时安全的工作方式。现在,除了检测和警报,您还可以编写 JavaScript 代码,以自动响应实时操作系统安全事件。
## 工作原理
Jibril 监控操作系统(文件访问、进程执行、网络活动、特定内核逻辑),当安全事件与检测规则匹配时,经过启用的打印机打印后,JavaScript 反应被触发。它们在隔离的 V8 上下文中运行,直接访问系统操作:
```javascript
function process(data) {
// 多阶段响应加密矿工检测
if (data.file.basename.match(/^(xmrig|ethminer|cgminer)$/)) {
Error("检测到加密矿工: " + data.process.cmd);
// 立即遏制
KillCurrent(); // 终止进程
NetBlockIp(); // 阻止网络
// 证据收集
let dir = CreateTempDir("miner-incident-*");
let evidence = {
timestamp: new Date().toISOString(),
process_ancestry: data.base.background.ancestry,
command_line: data.process.cmd
};
WriteFile(dir + "/evidence.json", JSON.stringify(evidence));
// 跟踪事件
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Info("矿工 #" + count + " 已终止并被阻止");
}
}
```
## 技术能力
Jibril 提供了一个全面的 API,包含 25 个以上的辅助函数:
- 进程管理:`KillCurrent()`、`KillParent()`、`KillProcess(pid)`,带有安全控制
- 网络策略:`NetBlockIp()`、`NetBlockDomain()`、`NetBlockIpTimer()`,用于实时阻止
- 文件操作:`ReadFile()`、`WriteFile()`、`CreateTempDir()`,具有安全权限
- 数据持久性:跨执行的键值存储
- *紧急控制*:`PowerOff()`、`Panic()`,用于关键威胁
每个反应在隔离的 V8 上下文中运行,具有错误处理功能,执行时间在毫秒级,自动处理并发执行,并提供审计记录。
查看示例:https://github.com/garnet-org/jibril-wahy/tree/main/jibril/tests
## 超越简单的自动化
可编程性使得复杂逻辑成为可能:
- 渐进式响应:从记录开始,升级到阻止,最后作为最后手段终止
- 上下文感知决策:阻止外部 IP,但允许内部基础设施
- 跨事件关联:跟踪多个安全事件之间的模式
- 自定义证据收集:自动收集您所需的法医数据
反应在 YAML 中定义,与检测规则并行,因此响应逻辑与检测逻辑保持耦合。开始时采取保守态度,逐步增加自动化。
## 为什么这种方法重要
传统工具检测威胁,但仍然需要人工分析师进行响应。这造成了一个空白,威胁在人工调查时继续运行。通过使响应可编程且即时,您可以在威胁发生时立即制止,同时保持人工监督。
隔离模型意味着反应可以安全地执行强大的操作(包括系统关闭),而不会因 JavaScript 代码中的错误而危及主机系统。
## 完整文档:
- https://jibril.garnet.ai/customization/reactions
- https://jibril.garnet.ai/customization/alchemies
- https://jibril.garnet.ai/customization/attenuator
祝您使用愉快!
查看原文
# Jibril Runtime Security v2.4<p>## Programmable JavaScript Reactions to OS Security Events<p>We've just released Jibril v2.4 with a new "Reactions" system that fundamentally changes how runtime security works. Instead of just detecting and alerting, you can now write JavaScript code that automatically executes in response to real-time OS security events.<p>## How it works<p>Jibril monitors the OS (file access, process execution, network activity, specific kernel logic) and when security events match detection rules, after being printed to enabled printers, JavaScript reactions are triggered. They run in isolated V8 contexts with direct access to system operations:<p>```javascript
function process(data) {
// Multi-stage response to crypto miner detection
if (data.file.basename.match(/^(xmrig|ethminer|cgminer)$/)) {
Error("Crypto miner detected: " + data.process.cmd);<p><pre><code> // Immediate containment
KillCurrent(); // Terminate process
NetBlockIp(); // Block network
// Evidence collection
let dir = CreateTempDir("miner-incident-*");
let evidence = {
timestamp: new Date().toISOString(),
process_ancestry: data.base.background.ancestry,
command_line: data.process.cmd
};
WriteFile(dir + "/evidence.json", JSON.stringify(evidence));
// Track incidents
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Info("Miner #" + count + " terminated and blocked");
}</code></pre>
}
```<p>## Technical capabilities<p>Jibril provides a comprehensive API with 25+ helper functions:<p>- Process management: `KillCurrent()`, `KillParent()`, `KillProcess(pid)` with safety controls
- Network policy: `NetBlockIp()`, `NetBlockDomain()`, `NetBlockIpTimer()` for real-time blocking
- File operations: `ReadFile()`, `WriteFile()`, `CreateTempDir()` with secure permissions
- Data persistence: Key-value store surviving across executions
- *Emergency controls*: `PowerOff()`, `Panic()` for critical threats<p>Each reaction runs in isolated V8 context with error handling, executes in milliseconds, handles concurrent execution automatically, and provides audit trails.<p>Check examples: https://github.com/garnet-org/jibril-wahy/tree/main/jibril/tests<p>## Beyond simple automation<p>The programmability enables sophisticated logic:<p>- Graduated responses: Start with logging, escalate to blocking, terminate as last resort
- Context-aware decisions: Block external IPs but whitelist internal infrastructure
- Cross-event correlation: Track patterns across multiple security events
- Custom evidence collection: Automatically gather exactly the forensic data you need<p>Reactions are defined in YAML alongside detection rules, so response logic stays coupled with detection logic. Start conservative and gradually increase automation.<p>## Why this approach matters<p>Traditional tools detect threats but still require human analysts to respond. This creates a gap where threats continue running while humans investigate. By making response programmable and immediate, you can stop threats in their tracks while maintaining human oversight.<p>The isolation model means reactions can safely perform powerful operations (including system shutdown) without risking the host system if JavaScript code has bugs.<p>## Full documentation:<p>- https://jibril.garnet.ai/customization/reactions
- https://jibril.garnet.ai/customization/alchemies
- https://jibril.garnet.ai/customization/attenuator<p>Have fun!