Add more curl download checks

Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
2025-08-16 13:17:04 +00:00 · 2021-11-16 10:27:21 +01:00 · 2021-11-16 10:27:21 +01:00 · 749d4b4512
commit 749d4b4512
parent 851033c5f4
1 changed files with 8 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -3095,7 +3095,14 @@
  condition: (never_true)

 -  macro: curl_download
-   condition: proc.name = curl and (proc.cmdline contains (" > ") or proc.cmdline contains (" >> ") or proc.cmdline contains (" | "))
+   condition: proc.name = curl and
+              (proc.cmdline contains (" > ") or
+              proc.cmdline contains (" >> ") or
+              proc.cmdline contains (" | ") or
+              proc.cmdline contains (" -o ") or
+              proc.cmdline contains (" --output ") or
+              proc.cmdline contains (" -O ") or
+              proc.cmdline contains (" --remote-name "))

 - rule: Launch Ingress Remote File Copy Tools in Container
  desc: Detect ingress remote file copy tools launched in container