Rules changes 2019 04.v6 (#580)

* Remove netstat as a generic network program

We'll try to limit the list to programs that can broadly see activity or
actually create traffic.

* Rules for inbound conn sources, not outbound

Replace "Unexpected outbound connection source" with "Unexpected inbound
connection source" to watch inbound connections by source instead of
outbound connections by source. The rule itself is pretty much unchanged
other than switching to using cip/cnet instead of sip/snet.

Expand the supporting macros so they include outbound/inbound in the
name, to make it clearer.

rules/falco_rules.yaml

@@ -357,43 +357,46 @@
   condition: (never_true)
 
 # Note that this can be either individual IPs or netmasks
-- list: allowed_destination_ipaddrs
+- list: allowed_outbound_destination_ipaddrs
   items: ['"127.0.0.1"', '"8.8.8.8"']
 
-- list: allowed_destination_networks
+- list: allowed_outbound_destination_networks
   items: ['"127.0.0.1/8"']
 
-- list: allowed_destination_domains
+- list: allowed_outbound_destination_domains
   items: [google.com, www.yahoo.com]
 
 - rule: Unexpected outbound connection destination
   desc: Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names
   condition: >
     consider_all_outbound_conns and outbound and not
-    ((fd.sip in (allowed_destination_ipaddrs)) or
-     (fd.snet in (allowed_destination_networks)) or
-     (fd.sip.name in (allowed_destination_domains)))
+    ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
+     (fd.snet in (allowed_outbound_destination_networks)) or
+     (fd.sip.name in (allowed_outbound_destination_domains)))
   output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name)
   priority: NOTICE
   tags: [network]
 
-- list: allowed_source_ipaddrs
+- macro: consider_all_inbound_conns
+  condition: (never_true)
+
+- list: allowed_inbound_source_ipaddrs
   items: ['"127.0.0.1"']
 
-- list: allowed_source_networks
+- list: allowed_inbound_source_networks
   items: ['"127.0.0.1/8"', '"10.0.0.0/8"']
 
-- list: allowed_source_domains
+- list: allowed_inbound_source_domains
   items: [google.com]
 
-- rule: Unexpected outbound connection source
-  desc: Detect any outbound connection from a source outside of an allowed set of ips, networks, or domain names
+- rule: Unexpected inbound connection source
+  desc: Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names
   condition: >
-    consider_all_outbound_conns and outbound and not
-    ((fd.cip in (allowed_source_ipaddrs)) or
-     (fd.cnet in (allowed_source_networks)) or
-     (fd.cip.name in (allowed_source_domains)))
-  output: Disallowed outbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name)
+    consider_all_inbound_conns and inbound and not
+    ((fd.cip in (allowed_inbound_source_ipaddrs)) or
+     (fd.cnet in (allowed_inbound_source_networks)) or
+     (fd.cip.name in (allowed_inbound_source_domains)))
+  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name)
   priority: NOTICE
   tags: [network]
 
@@ -2082,7 +2085,7 @@
   tags: [network, k8s, container, mitre_port_knocking]
 
 - list: network_tool_binaries
-  items: [nc, ncat, nmap, dig, netstat, tcpdump, tshark, ngrep]
+  items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep]
 
 - macro: network_tool_procs
   condition: proc.name in (network_tool_binaries)