github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-09 02:29:36 +00:00
Code Issues Projects Releases Wiki Activity

rule(Outbound Connection to C2 Servers): Add a new rule to detect outbound connections to c2 servers

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe
2020-10-12 16:47:05 -07:00
committed by poiana
parent 0a33f555eb
commit 47fa7d53c4
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
rules/falco_rules.yaml
View File

@@ -3031,6 +3031,15 @@
output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR
- list: c2_server_ip_list
items: []
- rule: Outbound Connection to C2 Servers
desc: Detect outbound connection to command & control servers
condition: outbound and fd.sip in (c2_server_ip_list)
output: Outbound connection to C2 server (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: WARNING
tags: [network]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to