github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 06:01:52 +00:00
Code Issues Projects Releases Wiki Activity

rule update: add a rule to detect reverse shell

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-04-17 11:48:57 -07:00 committed by poiana
parent b0f5e59fc5
commit a1145d9841
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -2795,7 +2795,12 @@
priority: WARNING
tags: [network]
- rule: Reverse shell
desc: Detect reverse shell established remote connection in container.
condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6")
output: >
Reverse shell connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
priority: WARNING
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to