mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-12 14:08:27 +00:00
Add a bunch of rules for service ports
This commit is contained in:
Henri DF
parent
773bc3f5d0
commit
6a504c924c
102
rules/base.txt
102
rules/base.txt
@ -43,18 +43,6 @@ sensitive_files: fd.name contains /etc/passwd or fd.name = /etc/sudoers or fd.di
|
||||
inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
|
||||
outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
|
||||
|
||||
active_mq_port: fd.lport=61616
|
||||
active_mq_web_port: fd.lport=8161
|
||||
active_mq: active_mq_port or active_mq_web_port
|
||||
|
||||
cassandra_thrift_client_port: fd.lport=9160
|
||||
cassandra_cql_port: fd.lport=9042
|
||||
cassandra_port: cassandra_thrift_client_port or cassandra_cql_port
|
||||
|
||||
elasticsearch_cluster_port: fd.lport=9300
|
||||
elasticsearch_api_port: fd.lport=9200
|
||||
elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
|
||||
|
||||
ssh_port: fd.lport=22
|
||||
|
||||
# Ssh
|
||||
@ -128,5 +116,91 @@ not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_bi
|
||||
# Some rootkits hide files in /dev
|
||||
(evt.type = creat or evt.arg.flags contains O_CREAT) and fd.directory = /dev and fd.name != /dev/null | %evt.time: file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Example: you might enable this on a node running elasticsearch (tailor to your server type)
|
||||
# inbound and fd.sockfamily = ip and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | %evt.time: bad rip (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
# Elasticsearch connections ports
|
||||
elasticsearch_cluster_port: fd.sport=9300
|
||||
elasticsearch_api_port: fd.sport=9200
|
||||
elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
|
||||
user.name = elasticsearch and inbound and not elasticsearch_port | %evt.time: Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = elasticsearch and outbound and not elasticsearch_cluster_port | %evt.time: Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# ActiveMQ connections ports
|
||||
activemq_cluster_port: fd.sport=61616
|
||||
activemq_web_port: fd.sport=8161
|
||||
activemq_port: activemq_web_port or activemq_cluster_port
|
||||
user.name = activemq and inbound and not activemq_port | %evt.time: Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = activemq and outbound and not activemq_cluster_port | %evt.time: Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Cassandra connections ports
|
||||
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
|
||||
cassandra_thrift_client_port: fd.sport=9160
|
||||
cassandra_cql_port: fd.sport=9042
|
||||
cassandra_cluster_port: fd.sport=7000
|
||||
cassandra_ssl_cluster_port: fd.sport=7001
|
||||
cassandra_jmx_port: fd.sport=7199
|
||||
cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
||||
|
||||
user.name = cassandra and inbound and not cassandra_port | %evt.time: Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | %evt.time: Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Couchbase connections ports
|
||||
# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
|
||||
# Web Administration Port
|
||||
couchbase_web_port: fd.sport=8091
|
||||
# Couchbase API Port
|
||||
couchbase_api_port: fd.sport=8092
|
||||
# Internal/External Bucket Port for SSL
|
||||
couchbase_ssl_bucket_port: fd.sport=11207
|
||||
# Internal Bucket Port
|
||||
couchbase_bucket_port: fd.sport=11209
|
||||
# Internal/External Bucket Port
|
||||
couchbase_bucket_port_ie: fd.sport=11210
|
||||
# Client interface (proxy)
|
||||
couchbase_client_interface_port: fd.sport=11211
|
||||
# Incoming SSL Proxy
|
||||
couchbase_incoming_ssl: fd.sport=11214
|
||||
# Internal Outgoing SSL Proxy
|
||||
couchbase_outgoing_ssl: fd.sport=11215
|
||||
# Internal REST HTTPS for SSL
|
||||
couchbase_internal_rest_port: fd.sport=18091
|
||||
# Internal CAPI HTTPS for SSL
|
||||
couchbase_internal_capi_port: fd.sport=18092
|
||||
# Erlang Port Mapper ( epmd )
|
||||
couchbase_epmd_port: fd.sport=4369
|
||||
# Node data exchange
|
||||
couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299
|
||||
|
||||
couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
|
||||
couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port
|
||||
|
||||
user.name = couchbase and inbound and not couchbase_port | %evt.time: Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = couchbase and outbound and not couchbase_internal_port | %evt.time: Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Couchdb connections ports
|
||||
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
|
||||
couchdb_httpd_port: fd.sport=5984
|
||||
couchdb_httpd_ssl_port: fd.sport=6984
|
||||
# xxx can't tell what clustering ports are used. not writing rules for this
|
||||
# yet.
|
||||
|
||||
# Etcd connections ports
|
||||
etcd_client_port: fd.sport=2379
|
||||
etcd_peer_port: fd.sport=2380
|
||||
# need to double-check which user etcd runs as
|
||||
user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | %evt.time: Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = etcd and outbound and not couchbase_internal_port | %evt.time: Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Fluentd connections ports
|
||||
fluentd_http_port: fd.sport=9880
|
||||
fluentd_forward_port: fd.sport=24224
|
||||
user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | %evt.time: Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = td-agent and outbound and not fluentd_forward_port | %evt.time: Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Gearman ports
|
||||
# http://gearman.org/protocol/
|
||||
user.name = gearman and outbound and outbound and not fd.sport = 4730 | %evt.time: Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user