Spyderbat Nano Agent

Nano Agent operational principles, compatibility, network requirements and proxy support, general FAQ

How does Spyderbat collect data?

Spyderbat collects data by deploying a lightweight “Nano Agent” for Linux based systems. The agent leverages eBPF (“extended Berkeley Packet Filter”) filters to build a continuous map of activity within and across systems.

Why do I need to install an agent?

Existing endpoint agents and system logs do not include the necessary information required by Spyderbat to build a complete, living map of causal activity within and across systems. Spyderbat’s Nano Agent is optimized to collect this information so that analysts can see the complete causal attack picture across systems, users, and time.

What is the impact of the Spyderbat Nano Agent on the system?

Spyderbat has observed minimal impact on system resources (CPU, memory), and minimal network bandwidth impact due to heavy compression.

What operating systems are currently supported?

Spyderbat currently supports the following Linux systems:

AlmaLinux 9x86_64

Amazon Linux 2

x86_64 / ARM64

Amazon Linux 2022

x86_64 / ARM64

Amazon Linux 2023

x86_64

Amazon Linux Bottlerocket

x86_64

CentOS 7 up to 7.6 (with El Repo LT)

x86_64

CentOS 7.6+ (with Kernel 3.10.0-957+)

x86_64

CentOS 8

x86_64

Debian 11

x86_64

Debian 12

x86_64

Flatcar Container Linux (3227.2.1; 3374.2.3)

x86_64

Google Container-Optimized OS (GCOS)

x86_64

Kali 2021.2

x86_64

RHEL 7.6+ (with Kernel 3.10.0-957+)

x86_64

RHEL 8

x86_64

RHEL 9

x86_64

Rocky Linux 8

x86_64

Rocky Linux 9

x86_64

Sangoma 16 (with El Repo LT)

x86_64

Ubuntu 18.04. LTS

x86_64

Ubuntu 20 Desktop

x86_64

Ubuntu 20.04 LTS

x86_64 / ARM64

Ubuntu 20.10

x86_64

Ubuntu 22.04

x86_64

Ubuntu 24.04

x86_64

What K8s Distributions are currently supported?

Spyderbat Nano Agents can be currently installed on the K8s clusters utilizing the following distributions:

K8s DistributionNode Operating SystemContainer Runtime

EKS

Amazon Linux 2 Bottlerocket

containerd or Docker

GKE

Ubuntu GCOS

containerd

Rancher K3s

Ubuntu 20 LTS

containerd or Docker

MicroK8s

Ubuntu 22 LTS

containerd

What are the Nano Agent’s network requirements?

Ensure that the systems running the Nano Agent have outbound access on port 443 to https://orc.spyderbat.com.

Does the Nano Agent support network proxies?

Yes. If you have a proxy configured and you have Linux environment variables like:

    https_proxy=:port

The installation script will automatically grab the environment variables from your terminal using the “-E” flag and pass those to the agent as required.

Is information sent securely from the Nano Agent?

Yes. Spyderbat securely encrypts information sent by the Nano Agent to the Spyderbat backend using TLS.

Does the Nano Agent support systems hosted in AWS?

The Nano Agent can be installed on any of the supported systems listed above as virtual or physical machines. Additionally, the Nano Agent collects metadata from AWS instances such as Cloud Tags, Region, Zone etc. To collect this metadata, ensure your AWS instances have an appropriate IAM (read only) role assigned to them such as “AmazonEC2ReadOnlyAccess”, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-iam-awsmanpol.html

How do I start and stop the Nano Agent from the command line?

To start the Nano Agent:

  sudo systemctl stop nano_agent.service

To stop the Nano Agent:

  sudo systemctl start nano_agent.service

Last updated

© SPYDERBAT, Inc., All Rights Reserved