A Linux-based CLI tool for real-time system call monitoring with security alerts, inspired by APT/malware detection patterns.
- Real-time system call monitoring with process context
- Malicious pattern detection (customizable rules)
- Visual and audible alerts for suspicious activity
- Process tree visualization (PID/PPID tracking)
- Whitelisting for trusted processes
- Export capabilities (JSON/CSV)
- Metasploit-like CLI interface with rich visualization
- Linux Kernel 4.4+ (recommended: 5.10+)
- Python 3.8+
- auditd framework
- Root privileges
git clone https://github.com/yourusername/sysmon.git
cd sysmon# Python packages
pip install -r requirements.txt
# System packages (Kali/Debian)
sudo apt update
sudo apt install auditd psutil python3-tk
sudo apt install linux-headers-$(uname -r)# Start auditd service
sudo systemctl start auditd
sudo systemctl enable auditd
# Add monitoring rules
sudo auditctl -a always,exit -S execve -k process_monitor
sudo auditctl -a always,exit -S ptrace -k process_monitorEdit configuration files in config/ directory:
malicious_patterns.yaml
syscalls:
- execve
- ptrace
- openat
- keyctl
dangerous_args:
- "O_WRONLY"
- "PROT_EXEC"
- "/dev/shm"whitelist.yaml
pids:
- 1 # systemd
- 1234 # your trusted process
processes:
- "sshd"
- "bash"
commands:
- "sudo apt update"Basic Monitoring
sudo python3 sysmon.py
With Sound Alerts
sudo python3 sysmon.py --sound
Main Menu:
1. Live Monitoring - Real-time system call display
2. View Security Alerts - Show triggered alerts
3. Export Logs - Save logs to JSON/CSV
4. Exit - Quit program
Ctrl+C - Exit program and auto-save logs
↑/↓ - Navigate menus
Enter - Select option
MIT License - See LICENSE for details
This tool is for educational and authorized security testing purposes only. Misuse of this software is strictly prohibited.