From 749d4b45126e95c9953c3f3ab26aa81982b82b54 Mon Sep 17 00:00:00 2001
From: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
Date: Tue, 16 Nov 2021 10:27:21 +0100
Subject: [PATCH] Add more curl download checks

Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
---
 rules/falco_rules.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 8688ce90..7e771ebf 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3095,7 +3095,14 @@
   condition: (never_true)
 
 -  macro: curl_download
-   condition: proc.name = curl and (proc.cmdline contains (" > ") or proc.cmdline contains (" >> ") or proc.cmdline contains (" | "))
+   condition: proc.name = curl and
+              (proc.cmdline contains (" > ") or
+              proc.cmdline contains (" >> ") or
+              proc.cmdline contains (" | ") or
+              proc.cmdline contains (" -o ") or
+              proc.cmdline contains (" --output ") or
+              proc.cmdline contains (" -O ") or
+              proc.cmdline contains (" --remote-name "))
 
 - rule: Launch Ingress Remote File Copy Tools in Container
   desc: Detect ingress remote file copy tools launched in container