github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-27 13:17:38 +00:00
Code Issues Projects Releases Wiki Activity

Add ssh alert

Browse Source
This commit is contained in:
Henri DF
2016-03-02 17:32:04 -08:00
parent ea158baa8d
commit b700a85b05
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
rules/base.txt
View File

@@ -44,11 +44,14 @@ elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
ssh_port: fd.lport=22 ssh_port: fd.lport=22
# Ssh
ssh_error_message: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
# System # System
modules: syscall.type in (delete_module, init_module) modules: syscall.type in (delete_module, init_module)
container: container.id != host container: container.id != host
interactive: proc.aname=sshd interactive: proc.aname=sshd
syslog: fd.name = /dev/log
####### #######
# Rules # Rules
@@ -86,3 +89,6 @@ container and proc.name = bash | shell in a container (%proc.name %evt.dir %evt.
# Network traffic to/from standard utils # Network traffic to/from standard utils
(fd.typechar = 4 or fd.typechar=6) and coreutils_binaries | network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name) (fd.typechar = 4 or fd.typechar=6) and coreutils_binaries | network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name)
# SSH errors (failed logins, disconnects, ..)
syslog and ssh_error_message and evt.dir = < | output.syslog(evt, "warning", "sshd: %proc.name %evt.arg.data")