HN Showcase
Back to browse
GitHub Repository

Detects if any running pid uses AF_ALG, to help with https://copy.fail mitigations (seeing if its safe to turn off the AF_ALG module)

2 starsGo

Detecting running processes using AF_ALG

by Nullence·May 2, 2026·1 point·0 comments
Visit ProjectView on HN

AI Analysis

●●SolidNiche GemShip It

Faster JSON output for AF_ALG detection than piping lsof through grep.

Strengths
  • Static binaries provided for all major Linux architectures out of the box.
  • Streaming mode allows real-time monitoring of socket usage during scans.
  • Directly addresses the specific copy.fail exploit mitigation workflow.
Weaknesses
  • Extremely narrow utility window; useless once AF_ALG is disabled or patched.
  • Lacks advanced filtering or integration with existing SIEM tools.
Category
Security
Target Audience

Linux system administrators and security engineers

Similar To

lsof · ss · netstat

Post Description

With copy.fail going around turning off extra surface area like the whole AF_ALG kernel module could be useful, this tool generates a list of pids and their fds that have a running AF_ALG socket.

Faster than using lsof | grep ALG, compiled for all the linux archs and result is an easily parsable format.

Hopefully this is helpful to folks!

Similar Projects