From bebdff3d6761cb473ba7f2f8b1787d6e9b62a9bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Wed, 11 Jul 2018 17:18:56 +0200 Subject: [PATCH] This rule does not add any value to the integration It was just an example for cryptomining. --- .../falco-config/falco_rules.local.yaml | 25 ------------------- 1 file changed, 25 deletions(-) diff --git a/kubernetes-response-engine/deployment/falco-config/falco_rules.local.yaml b/kubernetes-response-engine/deployment/falco-config/falco_rules.local.yaml index 8c6e89fe..3c8e3bb5 100644 --- a/kubernetes-response-engine/deployment/falco-config/falco_rules.local.yaml +++ b/kubernetes-response-engine/deployment/falco-config/falco_rules.local.yaml @@ -11,28 +11,3 @@ # tags: [users, container] # Or override/append to any rule, macro, or list from the Default Rules - -- macro: node_app_frontend - condition: k8s.ns.name = node-app and k8s.pod.label.role = frontend and k8s.pod.label.app = node-app - -- rule: Detect crypto miners using the Stratum protocol - desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' - condition: node_app_frontend and spawned_process and container.id != host and proc.cmdline contains stratum+tcp - output: Possible miner ran inside a container (command=%proc.cmdline %container.info) - priority: CRITICAL - -- list: miner_ports - items: [ - 3333, 4444, 8333, 7777, 7778, 3357, - 3335, 8899, 8888, 5730, 5588, 8118, - 6099, 9332, 1 - ] - -- macro: miner_port_connection - condition: fd.sport in (miner_ports) - -- rule: Detect outbound connections to common miner pool ports - desc: Miners typically connect to miner pools on common ports. - condition: node_app_frontend and outbound and miner_port_connection - output: "Outbound connection to common miner port (command=%proc.cmdline port=%fd.rport %container.info)" - priority: CRITICAL \ No newline at end of file