From 7a56f1c2d931403258f986aa799e7649d1254a0b Mon Sep 17 00:00:00 2001
From: Dario Martins Silva <dario@live.ca>
Date: Wed, 5 Jun 2019 14:26:22 -0400
Subject: [PATCH] fix egrep rule and ncat rule (#617)

* fix egrep rule and ncat rule
falco-CLA-1.0-signed-off-by: Dario Martins Silva <dmsilva@protonmail.com>

* add space after arguments, add --lua-exec
falco-CLA-1.0-signed-off-by: Dario Martins Silva <dmsilva@protonmail.com>
---
 rules/falco_rules.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0070144c..1e624612 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2126,7 +2126,8 @@
   condition: >
     spawned_process and container and
     ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or
-     (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec"))
+     (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e " 
+                              or proc.args contains "-c " or proc.args contains "--lua-exec"))
     )
   output: >
     Netcat runs inside container that allows remote code execution (user=%user.name
@@ -2163,7 +2164,7 @@
   tags: [network, process, mitre_discovery, mitre_exfiltration]
 
 - list: grep_binaries
-  items: [grep, egre, fgrep]
+  items: [grep, egrep, fgrep]
 
 - macro: grep_commands
   condition: (proc.name in (grep_binaries))