RohitKumarReddySakam/guardian-edr

GitHub: RohitKumarReddySakam/guardian-edr

一款轻量级端点检测与响应平台，利用 YAML 规则与启发式 ML 分类器实现离线自动化检测与响应。

Stars: 0 | Forks: 0

[![Python](https://img.shields.io/badge/Python-3.11+-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://python.org) [![Flask](https://img.shields.io/badge/Flask-3.0-000000?style=for-the-badge&logo=flask&logoColor=white)](https://flask.palletsprojects.com) [![MITRE](https://img.shields.io/badge/MITRE-ATT%26CK-FF0000?style=for-the-badge)](https://attack.mitre.org) [![Docker](https://img.shields.io/badge/Docker-Ready-2496ED?style=for-the-badge&logo=docker&logoColor=white)](https://docker.com) [![License](https://img.shields.io/badge/License-MIT-22C55E?style=for-the-badge)](LICENSE) [![Rules](https://img.shields.io/badge/Detection_Rules-14_YAML-64ffda?style=flat-square)](.) [![MITRE](https://img.shields.io/badge/MITRE_Techniques-14-64ffda?style=flat-square)](.) [![Classifier](https://img.shields.io/badge/ML_Classifier-Shannon_Entropy-64ffda?style=flat-square)](.) [![Air_Gap](https://img.shields.io/badge/Air--Gap-Capable-22c55e?style=flat-square)](.)

## 🎯 问题陈述商业 EDR 代理每年每个端点费用为 **30–50 美元**，并依赖重量级内核驱动器和云遥测。Guardian EDR 提供： - **来自任意代理或日志转发器的实时遥测摄取** - **YAML 检测规则**（兼容 Sigma）覆盖 14 种 MITRE 技术 - **启发式机器学习分类器**——香农熵、进程风险评分、无预训练模型 - **自动响应**——端点隔离、进程终止、取证收集 - **零外部 API 依赖**——完全支持离线环境 | 功能 | 详情 | |------|------| | **检测规则** | 14 条 YAML 规则——持久化、横向移动、数据外泄 | | **机器学习分类器** | 香农熵 + 进程风险 + 命令行启发式 | | **响应操作** | 隔离、终止进程、取证收集、哈希阻断 | | **告警去重** | 基于 MD5 的 5 分钟滑动窗口 | | **批量摄取** | 每次 API 调用最多 1,000 个事件 | ## 🏗️ 架构 ## 🔍 检测规则

🔒 持久化（5 条规则）

| 规则 | 名称 | MITRE | |------|------|-------| | persist-001 | 注册表运行键持久化 | T1547.001 | | persist-002 | 启动文件夹投放器 | T1547.001 | | persist-003 | 计划任务创建 | T1053.005 | | persist-004 | 定时任务持久化 | T1053.003 | | persist-005 | SSH 授权密钥修改 | T1098.004 |

🔀 横向移动（5 条规则）

| 规则 | 名称 | MITRE | |------|------|-------| | exfil-001 | HTTP/S 上传（curl/wget） | T1041 | | exfil-002 | 压缩敏感目录 | T1560.001 | | exfil-003 | DNS 隧道 | T1048.003 | | exfil-004 | SMTP 外泄 | T1048.002 |

## ⚡ 快速开始 ``` # 克隆仓库 git clone https://github.com/RohitKumarReddySakam/guardian-edr.git cd guardian-edr # 设置 python3 -m venv venv && source venv/bin/activate pip install -r requirements.txt cp .env.example .env # 运行 python app.py # → http://localhost:5004 ``` ### 🐳 Docker ``` git clone https://github.com/RohitKumarReddySakam/guardian-edr.git cd guardian-edr docker build -t guardian-edr . docker run -p 5004:5004 guardian-edr ``` ## 🔌 API 参考 ``` # 注册端点 POST /api/endpoint/register {"hostname": "WORKSTATION-01", "os": "Windows 10", "ip_address": "192.168.1.50"} # 提交事件 POST /api/event { "endpoint_id": "", "process_name": "powershell.exe", "cmdline": "powershell -enc SQBFAFgA", "username": "user", "network_dst_port": null } # 批量摄取（最多 1000 个事件） POST /api/event/batch # 执行响应操作 POST /api/response {"action": "isolate_endpoint", "target": "192.168.1.50", "alert_id": ""} # 指标 GET /api/metrics ``` ## 📁 项目结构 ``` guardian-edr/ ├── app.py # Flask application & REST API ├── wsgi.py # Gunicorn entry point ├── config.py ├── requirements.txt ├── Dockerfile │ ├── core/ │ ├── rule_engine.py # YAML detection rule engine │ ├── threat_classifier.py # Heuristic ML classifier │ ├── event_processor.py # Telemetry normalization │ ├── alert_manager.py # Deduplication & lifecycle │ └── response_actions.py # Automated response engine │ ├── rules/ │ ├── persistence_rules.yaml │ ├── lateral_movement_rules.yaml │ └── exfiltration_rules.yaml │ ├── templates/ # Dashboard, Endpoints, Alerts ├── static/ # CSS + JavaScript └── tests/ # 9 pytest tests ``` ## 👨‍💻 作者

**Rohit Kumar Reddy Sakam** *DevSecOps 工程师 & 安全研究员* [![LinkedIn](https://img.shields.io/badge/LinkedIn-Rohit_Kumar_Reddy_Sakam-0077B5?style=for-the-badge&logo=linkedin&logoColor=white)](https://linkedin.com/in/rohitkumarreddysakam) [![GitHub](https://img.shields.io/badge/GitHub-RohitKumarReddySakam-181717?style=for-the-badge&logo=github&logoColor=white)](https://github.com/RohitKumarReddySakam) [![Portfolio](https://img.shields.io/badge/Portfolio-srkrcyber.com-64FFDA?style=for-the-badge&logo=safari&logoColor=black)](https://srkrcyber.com)

**⭐ 如果该项目对你有帮助，请给予星标！** [![Star](https://img.shields.io/github/stars/RohitKumarReddySakam/guardian-edr?style=social)](https://github.com/RohitKumarReddySakam/guardian-edr) MIT License © 2025 Rohit Kumar Reddy Sakam

标签：AMSI绕过, Cloudflare, Docker容器化, EDR, Flask框架, FTP漏洞扫描, JSONLines, MITRE ATT&CK, Python3.11, Python安全工具, Shannon熵, Sigma规则, StruQ, Syslog, YAML规则, 取证收集, 启发式ML, 哈希阻断, 响应自动化, 威胁检测, 安全编排, 实时遥测, 开源EDR, 异常检测, 无API依赖, 日志聚合, 机器学习分类器, 检测规则, 气隙安全, 目标导入, 离线部署, 端点检测与响应, 端点防护, 网络信息收集, 网络资产发现, 脆弱性评估, 脱壳工具, 自动化响应, 请求拦截, 轻量级安全, 进程终止, 进程隔离, 进程风险评分, 逆向工具, 零信任