github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 23:57:29 +00:00
Code Issues Projects Releases Wiki Activity

feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.

Browse Source 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.

doc: add comment

Fixing DCO append amend

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

Revert to original C2 rule name

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify comments on C2 rule

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

comment

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify stdout

Signed-off-by: thedetective <nicolas@lrasc.fr>
This commit is contained in:
Nicolas-Peiffer 2022-10-10 16:41:16 +02:00 committed by poiana
parent 39753b6130
commit 1f15af1e4f
1 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
rules/falco_rules.yaml
View File

@ -3052,10 +3052,39 @@
- list: c2_server_ip_list - list: c2_server_ip_list
items: [] items: []
- list: c2_server_fqdn_list
items: []
# For example, you can fetch a list of IP addresses and FQDN on this website:
# https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json.
# Use Falco HELM chart to update (append) the c2 server lists with your values.
# See an example below.
#
# ```yaml
# # values.yaml Falco HELM chart file
# [...]
# customRules:
# c2-servers-list.yaml: |-
# - list: c2_server_ip_list
# append: true
# items:
# - "'51.178.161.32'"
# - "'46.101.90.205'"
#
# - list: c2_server_fqdn_list
# append: true
# items:
# - "srv-web.ffconsulting.com"
# - "57.ip-142-44-247.net"
# ```
- rule: Outbound Connection to C2 Servers - rule: Outbound Connection to C2 Servers
desc: Detect outbound connection to command & control servers desc: Detect outbound connection to command & control servers thanks to a list of IP addresses & a list of FQDN.
condition: outbound and fd.sip in (c2_server_ip_list) condition: >
output: Outbound connection to C2 server (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) outbound and
((fd.sip in (c2_server_ip_list)) or
(fd.sip.name in (c2_server_fqdn_list)))
output: Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: WARNING priority: WARNING
tags: [network] tags: [network]