swar09/aigis-zero

# project-edr 一个从零开始构建的本土化端点检测与响应系统。 ## 这是什么 一个实时的 EDR，用于监控端点的可疑活动，将遥测数据流式传输到中央服务器，运行检测规则，并通过实时仪表板向安全运营人员展示警报。 ## 技术栈 | 层级 | 技术 | |---|---| | Agent | Rust, eBPF (aya), OSQuery | | Fleet Server | Rust, gRPC (tonic), PostgreSQL | | Message Bus | Apache Kafka | | Pipeline | Rust, rdkafka, sqlx | | Rule Engine | Rust, YARA (yara-x) | | API | Rust, Axum, WebSocket | | Frontend | React, TypeScript, Vite | | Infra | Docker Compose, Kubernetes | ## 架构 ``` flowchart LR A["Agent\n(eBPF + OSQuery)"] -->|gRPC| F["Fleet Server"] F -->|produce| K["Kafka"] K -->|consume| P["Pipeline"] P -->|write| DB[("PostgreSQL")] P -->|produce| K K -->|consume| R["Rule Engine"] R -->|alerts| K R -->|write| DB K -->|consume| API["API Backend"] API -->|WebSocket| FE["Frontend"] FE -->|REST| API API -->|commands| F ``` ## 结构 ``` sdk/ shared types, proto definitions agent/ endpoint agent (cargo workspace, 6 crates) fleet-server/ gRPC server for agent enrollment + streaming kafka-pipeline/ event normalisation + DB persistence rule-engine/ YARA scanning + MITRE ATT&CK mapping api-backend/ REST API + WebSocket for dashboard frontend/ React operator dashboard infra/ docker-compose, k8s, terraform ``` ## 快速开始 ``` # 启动 infrastructure cd infra && docker-compose up -d # 构建所有 Rust 服务 cargo build --workspace # 运行特定服务 cargo run -p edr-fleet-server ``` ## 文档 - [实施指南](EDR_IMPLEMENTATION_GUIDE.md) - [时间线](TIMELINE.md) - [测试计划](tests/TEST_PLAN.md)

标签：Kafka, React, Rust, SonarQube插件, Syscalls, YARA, 云资产可视化, 代理服务器, 可视化界面, 子域名突变, 测试用例, 版权保护, 终端检测与响应, 网络流量审计, 软件成分分析, 通知系统