Spyderbat Nano Agent
Nano Agent operational principles, compatibility, network requirements and proxy support, general FAQ
How does Spyderbat collect data?
Spyderbat collects data by deploying a lightweight “Nano Agent” for Linux based systems. The agent leverages eBPF (“extended Berkeley Packet Filter”) filters to build a continuous map of activity within and across systems.
Why do I need to install an agent?
Existing endpoint agents and system logs do not include the necessary information required by Spyderbat to build a complete, living map of causal activity within and across systems. Spyderbat’s Nano Agent is optimized to collect this information so that analysts can see the complete causal attack picture across systems, users, and time.
What is the impact of the Spyderbat Nano Agent on the system?
Spyderbat has observed minimal impact on system resources (CPU, memory), and minimal network bandwidth impact due to heavy compression.
What operating systems are currently supported?
Spyderbat currently supports the following Linux systems:
Amazon Linux 2
x86_64 / ARM64
Amazon Linux 2022
x86_64 / ARM64
Amazon Linux 2023
x86_64
Amazon Linux Bottlerocket
x86_64
CentOS 7 up to 7.6 (with El Repo LT)
x86_64
CentOS 7.6+ (with Kernel 3.10.0-957+)
x86_64
CentOS 8
x86_64
Debian 11
x86_64
Debian 12
x86_64
Flatcar Container Linux (3227.2.1; 3374.2.3)
x86_64
Google Container-Optimized OS (GCOS)
x86_64
Kali 2021.2
x86_64
RHEL 7.6+ (with Kernel 3.10.0-957+)
x86_64
RHEL 8
x86_64
RHEL 9
x86_64
Rocky Linux 8
x86_64
Rocky Linux 9
x86_64
Sangoma 16 (with El Repo LT)
x86_64
Ubuntu 18.04. LTS
x86_64
Ubuntu 20 Desktop
x86_64
Ubuntu 20.04 LTS
x86_64 / ARM64
Ubuntu 20.10
x86_64
Ubuntu 22.04
x86_64
Ubuntu 24.04
x86_64
What K8s Distributions are currently supported?
Spyderbat Nano Agents can be currently installed on the K8s clusters utilizing the following distributions:
EKS
Amazon Linux 2 Bottlerocket
containerd or Docker
GKE
Ubuntu GCOS
containerd
Rancher K3s
Ubuntu 20 LTS
containerd or Docker
MicroK8s
Ubuntu 22 LTS
containerd
What are the Nano Agent’s network requirements?
Ensure that the systems running the Nano Agent have outbound access on port 443 to https://orc.spyderbat.com.
Does the Nano Agent support network proxies?
Yes. If you have a proxy configured and you have Linux environment variables like:
The installation script will automatically grab the environment variables from your terminal using the “-E” flag and pass those to the agent as required.
Is information sent securely from the Nano Agent?
Yes. Spyderbat securely encrypts information sent by the Nano Agent to the Spyderbat backend using TLS.
Does the Nano Agent support systems hosted in AWS?
The Nano Agent can be installed on any of the supported systems listed above as virtual or physical machines. Additionally, the Nano Agent collects metadata from AWS instances such as Cloud Tags, Region, Zone etc. To collect this metadata, ensure your AWS instances have an appropriate IAM (read only) role assigned to them such as “AmazonEC2ReadOnlyAccess”, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-iam-awsmanpol.html
How do I start and stop the Nano Agent from the command line?
To start the Nano Agent:
To stop the Nano Agent:
Last updated