Spyderbat Nano Agent
Nano Agent operational principles, compatibility, network requirements and proxy support, general FAQ
Last updated
Was this helpful?
Nano Agent operational principles, compatibility, network requirements and proxy support, general FAQ
Last updated
Was this helpful?
Spyderbat collects data by deploying a lightweight “Nano Agent” for Linux based systems. The agent leverages (“extended Berkeley Packet Filter”) filters to build a continuous map of activity within and across systems.
Existing endpoint agents and system logs do not include the necessary information required by Spyderbat to build a complete, living map of causal activity within and across systems. Spyderbat’s Nano Agent is optimized to collect this information so that analysts can see the complete causal attack picture across systems, users, and time.
Spyderbat has observed minimal impact on system resources (CPU, memory), and minimal network bandwidth impact due to heavy compression.
Spyderbat currently supports the following Linux systems:
Amazon Linux 2
x86_64 / ARM64
Amazon Linux 2022
x86_64 / ARM64
Amazon Linux 2023
x86_64
Amazon Linux Bottlerocket
x86_64
CentOS 7 up to 7.6 (with El Repo LT)
x86_64
CentOS 7.6+ (with Kernel 3.10.0-957+)
x86_64
CentOS 8
x86_64
Debian 11
x86_64
Debian 12
x86_64
Flatcar Container Linux (3227.2.1; 3374.2.3)
x86_64
Google Container-Optimized OS (GCOS)
x86_64
Kali 2021.2
x86_64
RHEL 7.6+ (with Kernel 3.10.0-957+)
x86_64
RHEL 8
x86_64
RHEL 9
x86_64
Rocky Linux 8
x86_64
Rocky Linux 9
x86_64
Sangoma 16 (with El Repo LT)
x86_64
Ubuntu 18.04. LTS
x86_64
Ubuntu 20 Desktop
x86_64
Ubuntu 20.04 LTS
x86_64 / ARM64
Ubuntu 20.10
x86_64
Ubuntu 22.04
x86_64
Ubuntu 24.04
x86_64
Spyderbat Nano Agents can be currently installed on the K8s clusters utilizing the following distributions:
EKS
Amazon Linux 2 Bottlerocket
containerd or Docker
GKE
Ubuntu GCOS
containerd
Rancher K3s
Ubuntu 20 LTS
containerd or Docker
MicroK8s
Ubuntu 22 LTS
containerd
Ensure that the systems running the Nano Agent have outbound access on port 443 to https://orc.spyderbat.com.
Yes. If you have a proxy configured and you have Linux environment variables like:
The installation script will automatically grab the environment variables from your terminal using the “-E” flag and pass those to the agent as required.
Yes. Spyderbat securely encrypts information sent by the Nano Agent to the Spyderbat backend using TLS.
The Nano Agent can be installed on any of the supported systems listed above as virtual or physical machines. Additionally, the Nano Agent collects metadata from AWS instances such as Cloud Tags, Region, Zone etc. To collect this metadata, ensure your AWS instances have an appropriate IAM (read only) role assigned to them such as “AmazonEC2ReadOnlyAccess”, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-iam-awsmanpol.html
To start the Nano Agent:
To stop the Nano Agent: