From 7da245e902bfaad109e5d638534ddf98aba8ff7e Mon Sep 17 00:00:00 2001 From: Hiroki Suezawa Date: Wed, 4 Dec 2019 06:33:55 +0900 Subject: [PATCH] rule update: Modify rule to detect raw packets creation Signed-off-by: Hiroki Suezawa --- rules/falco_rules.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a1851a2d..f1a140c3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2650,16 +2650,16 @@ # This rule is not enabled by default, as there are legitimate use # cases for raw packet. If you want to enable it, modify the # following macro. -- macro: consider_raw_packet_communication +- macro: consider_packet_socket_communication condition: (never_true) -- list: user_known_raw_packet_binaries +- list: user_known_packet_socket_binaries items: [] -- rule: Raw packet created in container - desc: Detect new raw packets at the device driver (OSI Layer 2) level in a container. raw packets could be used to do ARP Spoofing by attacker. - condition: consider_raw_packet_communication and evt.type=socket and evt.arg[0]=AF_PACKET and container and not proc.name in (user_known_raw_packet_binaries) - output: Raw packet was created in a container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) +- rule: Packet socket created in container + desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker. + condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries) + output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, mitre_discovery]