From 07b4d5a47a0b0d85cd6c57587500287f241d3d41 Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Mon, 20 Jun 2022 10:33:44 +0200 Subject: [PATCH] fix(rules): use exit event in reverse shell detection rule In some cases the rule is not triggered when a reverse shell is spawned. That's because in the rule we are checking that the file descriptor passed as argument to the dup functions is of type socket and its fd number is "0, 1, or 2" and the event direction is "enter". The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO); But using the exit event the rule is triggered. Signed-off-by: Aldo Lacuku --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 77e24e0a..1b7c6113 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2985,7 +2985,7 @@ - rule: Redirect STDOUT/STDIN to Network Connection in Container desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell). - condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities + condition: evt.type in (dup, dup2, dup3) and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities output: > Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) priority: WARNING