github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 14:52:20 +00:00
Code Issues Projects Releases Wiki Activity

Add more services to rules file

Browse Source 
(HBase, Kafka, Memcached, MongoDB)
This commit is contained in:
Henri DF 2016-03-24 17:52:22 -07:00
parent 1d1a14acf9
commit 1e003fc0a6
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
rules/base.txt
View File

@ -204,4 +204,36 @@ user.name = td-agent and outbound and not fluentd_forward_port | %evt.time: Unex
# http://gearman.org/protocol/
user.name = gearman and outbound and outbound and not fd.sport = 4730 | %evt.time: Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Zookeeper
zookeeper_port: 2181
# HBase ports
# http://blog.cloudera.com/blog/2013/07/guide-to-using-apache-hbase-ports/
hbase_master_port: fd.sport = 60000
hbase_master_info_port: fd.sport = 60010
hbase_regionserver_port: fd.sport = 60020
hbase_regionserver_info_port: fd.sport = 60030
hbase_rest_port: fd.sport = 8080
hbase_rest_info_port: fd.sport = 8085
hbase_regionserver_thrift_port: fd.sport = 9090
hbase_thrift_info_port: fd.sport = 9095
# If you're not running HBase under the 'hbase' user, adjust first expression
# in each rule below
user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | %evt.time: Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | %evt.time: Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Kafka ports
user.name = kafka and inbound and fd.sport != 9092 | %evt.time: Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Memcached ports
user.name = memcached and inbound and fd.sport != 11211 | %evt.time: Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# MongoDB ports
mongodb_server_port: fd.sport = 27017
mongodb_shardserver_port: fd.sport = 27018
mongodb_configserver_port: fd.sport = 27019
mongodb_webserver_port: fd.sport = 28017
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | %evt.time: Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)