github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-13 05:22:34 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro consider_packet_socket_communication): change a value to always_true

Browse Source 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
This commit is contained in:
Hiroki Suezawa
2020-09-15 17:36:12 +09:00
committed by poiana
parent 1efa4d3af0
commit 5b926386a8
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
rules/falco_rules.yaml
View File

@@ -2859,17 +2859,16 @@
tags: [container, mitre_execution]
# This rule is not enabled by default, as there are legitimate use
# cases for raw packet. If you want to enable it, modify the
# following macro.
# This rule is enabled by default.
# If you want to disable it, modify the following macro.
- macro: consider_packet_socket_communication
condition: (never_true)
condition: (always_true)
- list: user_known_packet_socket_binaries
items: []
- rule: Packet socket created in container
desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker.
condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: NOTICE