From 47fa7d53c43455540ae7ccbe4a1445a93511f723 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Mon, 12 Oct 2020 16:47:05 -0700
Subject: [PATCH] rule(Outbound Connection to C2 Servers): Add a new rule to
 detect outbound connections to c2 servers

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 60e359a8..d3e8038d 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3031,6 +3031,15 @@
   output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
 
+- list: c2_server_ip_list
+  items: []
+
+- rule: Outbound Connection to C2 Servers
+  desc: Detect outbound connection to command & control servers
+  condition: outbound and fd.sip in (c2_server_ip_list)
+  output: Outbound connection to C2 server (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  priority: WARNING
+  tags: [network]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to