From 1fc509d78b2936041a09970bf4d3ac9ea37eb87e Mon Sep 17 00:00:00 2001 From: kaizhe Date: Tue, 6 Aug 2019 12:03:41 -0700 Subject: [PATCH] rule update: fine grained sending to mining domain Signed-off-by: kaizhe --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 50b63efa..bc3c1ced 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2550,7 +2550,7 @@ condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains)) - macro: net_miner_pool - condition: (outbound and ((minerpool_http) or (minerpool_https) or (minerpool_other))) + condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other))) - rule: Detect outbound connections to common miner pool ports desc: Miners typically connect to miner pools on common ports.