github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-01 06:29:47 +00:00
Code Issues Projects Releases Wiki Activity

fix egrep rule and ncat rule (#617)

Browse Source 
* fix egrep rule and ncat rule
falco-CLA-1.0-signed-off-by: Dario Martins Silva <dmsilva@protonmail.com>

* add space after arguments, add --lua-exec
falco-CLA-1.0-signed-off-by: Dario Martins Silva <dmsilva@protonmail.com>
This commit is contained in:
Dario Martins Silva 2019-06-05 14:26:22 -04:00 committed by Mark Stemm
parent e91bc497ac
commit 7a56f1c2d9
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -2126,7 +2126,8 @@
condition: >
spawned_process and container and
((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or
(proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec"))
(proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e "
or proc.args contains "-c " or proc.args contains "--lua-exec"))
)
output: >
Netcat runs inside container that allows remote code execution (user=%user.name
@ -2163,7 +2164,7 @@
tags: [network, process, mitre_discovery, mitre_exfiltration]
- list: grep_binaries
items: [grep, egre, fgrep]
items: [grep, egrep, fgrep]
- macro: grep_commands
condition: (proc.name in (grep_binaries))