mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-25 17:38:53 +00:00
Rule updates 2018 04.v2 (#366)
* Add alternatives as a binary dir writer It can set symlinks below binary dirs. * Let userhelper read sens.files/write below /etc Part of usermode package, can be used by oVirt. * Let package mgmt progs urlgrabber pki files Some package management programs run urlgrabber-ext-{down} to update pki files. * Add additional root directory for Jupyter-notebook * Let brandbot write to /etc/os-release Used on centos * Add an additional veritas conf directory. Also /etc/opt/VRTS... * Let appdynamics spawn shells Java, so we look at parent cmdline. * Add more ancestors to output In an attempt to track down the source of some additional shell spawners, add additional parents. * Let chef write below bin dirs/rpm database Rename an existing macro chef_running_yum_dump to python_running_chef and add additional variants. Also add chef-client as a package management binary. * Remove dangling macro. No longer in use. * Add additional volume mgmt progs Add pvscan as a volume management program and add an additional directory below /etc. Also rename the macro to make it more generic. * Let openldap write below /etc/openldap Only program is run-openldap.sh for now. * Add additional veritas directory Also /etc/vom. * Let sed write /etc/sedXXXXX files These are often seen in install scrips for rpm/deb packages. The test only checks for /etc/sed, as we don't have anything like a regex match or glob operator. * Let dse (DataStax Search) write to /root Only file is /root/tmp__. * Add additional mysql programs and directories Add run-mysqld and /etc/my.cnf.d directory. * Let redis write its config below /etc. * Let id program open network connections Seen using port 111 (sun-rpc, but really user lookups). * Opt-in rule for protecting tomcat shell spawns Some users want to consider any shell spawned by tomcat suspect for example, protecting against the famous apache struts attack CVE-2017-5638, while others do not. Split the difference by adding a macro possibly_parent_java_running_tomcat, but disabling it by default. * added ossec-syscheckd to read_sensitive_file_binaries * Add "Write below monitored directory" Take the technique used by "Write below binary dir", and make it more general, expanding to a list of "monitored directories". This contains common directories like /boot, /lib, etc. It has a small workaround to look for home ssh directories without using the glob operator, which has a pending fix in https://github.com/draios/sysdig/pull/1153. * Fix FPs Move monitored_dir to after evt type checks and allow mkinitramfs to write below /boot * Addl boot writers.
This commit is contained in:
parent
81dcee23a9
commit
c5523d89a7
@ -166,7 +166,7 @@
|
|||||||
# The truncated dpkg-preconfigu is intentional, process names are
|
# The truncated dpkg-preconfigu is intentional, process names are
|
||||||
# truncated at the sysdig level.
|
# truncated at the sysdig level.
|
||||||
- list: package_mgmt_binaries
|
- list: package_mgmt_binaries
|
||||||
items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, sane-utils.post]
|
items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, sane-utils.post, alternatives, chef-client]
|
||||||
|
|
||||||
- macro: package_mgmt_procs
|
- macro: package_mgmt_procs
|
||||||
condition: proc.name in (package_mgmt_binaries)
|
condition: proc.name in (package_mgmt_binaries)
|
||||||
@ -375,6 +375,9 @@
|
|||||||
(proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and
|
(proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and
|
||||||
(fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf))
|
(fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf))
|
||||||
|
|
||||||
|
- macro: userhelper_writing_etc_security
|
||||||
|
condition: (proc.name=userhelper and fd.name startswith /etc/security)
|
||||||
|
|
||||||
- macro: parent_Xvfb_running_xkbcomp
|
- macro: parent_Xvfb_running_xkbcomp
|
||||||
condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
|
condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
|
||||||
|
|
||||||
@ -395,18 +398,13 @@
|
|||||||
- list: known_shell_spawn_binaries
|
- list: known_shell_spawn_binaries
|
||||||
items: []
|
items: []
|
||||||
|
|
||||||
- macro: shell_spawning_containers
|
|
||||||
condition: (container.image startswith jenkins or
|
|
||||||
container.image startswith gitlab/gitlab-ce or
|
|
||||||
container.image startswith gitlab/gitlab-ee)
|
|
||||||
|
|
||||||
## End Deprecated
|
## End Deprecated
|
||||||
|
|
||||||
- macro: ansible_running_python
|
- macro: ansible_running_python
|
||||||
condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
|
condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
|
||||||
|
|
||||||
- macro: chef_running_yum_dump
|
- macro: python_running_chef
|
||||||
condition: (proc.name=python and proc.cmdline contains yum-dump.py)
|
condition: (proc.name=python and (proc.cmdline contains yum-dump.py or proc.cmdline="python /usr/bin/chef-monitor.py"))
|
||||||
|
|
||||||
- macro: python_running_denyhosts
|
- macro: python_running_denyhosts
|
||||||
condition: >
|
condition: >
|
||||||
@ -490,9 +488,13 @@
|
|||||||
- macro: htpasswd_writing_passwd
|
- macro: htpasswd_writing_passwd
|
||||||
condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
|
condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
|
||||||
|
|
||||||
- macro: lvprogs_writing_lvm_archive
|
- macro: lvprogs_writing_conf
|
||||||
condition: (proc.name in (dmeventd,lvcreate) and (fd.name startswith /etc/lvm/archive or
|
condition: >
|
||||||
fd.name startswith /etc/lvm/backup))
|
(proc.name in (dmeventd,lvcreate,pvscan) and
|
||||||
|
(fd.name startswith /etc/lvm/archive or
|
||||||
|
fd.name startswith /etc/lvm/backup or
|
||||||
|
fd.name startswith /etc/lvm/cache))
|
||||||
|
|
||||||
- macro: ovsdb_writing_openvswitch
|
- macro: ovsdb_writing_openvswitch
|
||||||
condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
|
condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
|
||||||
|
|
||||||
@ -541,6 +543,9 @@
|
|||||||
- macro: slapadd_writing_conf
|
- macro: slapadd_writing_conf
|
||||||
condition: (proc.name=slapadd and fd.name startswith /etc/ldap)
|
condition: (proc.name=slapadd and fd.name startswith /etc/ldap)
|
||||||
|
|
||||||
|
- macro: openldap_writing_conf
|
||||||
|
condition: (proc.pname=run-openldap.sh and fd.name startswith /etc/openldap)
|
||||||
|
|
||||||
- macro: symantec_writing_conf
|
- macro: symantec_writing_conf
|
||||||
condition: >
|
condition: >
|
||||||
((proc.name=symcfgd and fd.name startswith /etc/symantec) or
|
((proc.name=symcfgd and fd.name startswith /etc/symantec) or
|
||||||
@ -554,6 +559,14 @@
|
|||||||
(proc.name=urlgrabber-ext- and proc.aname[3]=sosreport and
|
(proc.name=urlgrabber-ext- and proc.aname[3]=sosreport and
|
||||||
(fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb))
|
(fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb))
|
||||||
|
|
||||||
|
- macro: pkgmgmt_progs_writing_pki
|
||||||
|
condition: >
|
||||||
|
(proc.name=urlgrabber-ext- and proc.pname in (yum, yum-cron, repoquery) and
|
||||||
|
(fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb))
|
||||||
|
|
||||||
|
- macro: brandbot_writing_os_release
|
||||||
|
condition: proc.name=brandbot and fd.name=/etc/os-release
|
||||||
|
|
||||||
- macro: selinux_writing_conf
|
- macro: selinux_writing_conf
|
||||||
condition: (proc.name in (semodule,genhomedircon,sefcontext_comp) and fd.name startswith /etc/selinux)
|
condition: (proc.name in (semodule,genhomedircon,sefcontext_comp) and fd.name startswith /etc/selinux)
|
||||||
|
|
||||||
@ -567,7 +580,7 @@
|
|||||||
condition: (proc.name in (veritas_binaries) or veritas_driver_script)
|
condition: (proc.name in (veritas_binaries) or veritas_driver_script)
|
||||||
|
|
||||||
- macro: veritas_writing_config
|
- macro: veritas_writing_config
|
||||||
condition: (veritas_progs and fd.name startswith /etc/vx)
|
condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom))
|
||||||
|
|
||||||
- macro: nginx_writing_conf
|
- macro: nginx_writing_conf
|
||||||
condition: (proc.name=nginx and fd.name startswith /etc/nginx)
|
condition: (proc.name=nginx and fd.name startswith /etc/nginx)
|
||||||
@ -593,6 +606,11 @@
|
|||||||
- macro: exe_running_docker_save
|
- macro: exe_running_docker_save
|
||||||
condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
|
condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
|
||||||
|
|
||||||
|
# Ideally we'd have a length check here as well but sysdig
|
||||||
|
# filterchecks don't have operators like len()
|
||||||
|
- macro: sed_temporary_file
|
||||||
|
condition: (proc.name=sed and fd.name startswith "/etc/sed")
|
||||||
|
|
||||||
- macro: python_running_get_pip
|
- macro: python_running_get_pip
|
||||||
condition: (proc.cmdline startswith "python get-pip.py")
|
condition: (proc.cmdline startswith "python get-pip.py")
|
||||||
|
|
||||||
@ -602,6 +620,9 @@
|
|||||||
- macro: gugent_writing_guestagent_log
|
- macro: gugent_writing_guestagent_log
|
||||||
condition: (proc.name=gugent and fd.name=GuestAgent.log)
|
condition: (proc.name=gugent and fd.name=GuestAgent.log)
|
||||||
|
|
||||||
|
- macro: dse_writing_tmp
|
||||||
|
condition: (proc.name=dse-entrypoint and fd.name=/root/tmp__)
|
||||||
|
|
||||||
- rule: Write below binary dir
|
- rule: Write below binary dir
|
||||||
desc: an attempt to write to any file below a set of binary directories
|
desc: an attempt to write to any file below a set of binary directories
|
||||||
condition: >
|
condition: >
|
||||||
@ -616,6 +637,44 @@
|
|||||||
priority: ERROR
|
priority: ERROR
|
||||||
tags: [filesystem]
|
tags: [filesystem]
|
||||||
|
|
||||||
|
# If you'd like to generally monitor a wider set of directories on top
|
||||||
|
# of the ones covered by the rule Write below binary dir, you can use
|
||||||
|
# the following rule and lists.
|
||||||
|
|
||||||
|
- list: monitored_directories
|
||||||
|
items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh, /etc/cardserver]
|
||||||
|
|
||||||
|
# Until https://github.com/draios/sysdig/pull/1153, which fixes
|
||||||
|
# https://github.com/draios/sysdig/issues/1152, is widely available,
|
||||||
|
# we can't use glob operators to match pathnames. Until then, we do a
|
||||||
|
# looser check to match ssh directories.
|
||||||
|
# When fixed, we will use "fd.name glob '/home/*/.ssh/*'"
|
||||||
|
- macro: user_ssh_directory
|
||||||
|
condition: (fd.name startswith '/home' and fd.name contains '.ssh')
|
||||||
|
|
||||||
|
- macro: mkinitramfs_writing_boot
|
||||||
|
condition: (proc.pname in (mkinitramfs, update-initramf) and fd.directory=/boot)
|
||||||
|
|
||||||
|
- macro: monitored_dir
|
||||||
|
condition: >
|
||||||
|
(fd.directory in (monitored_directories)
|
||||||
|
or user_ssh_directory)
|
||||||
|
and not mkinitramfs_writing_boot
|
||||||
|
|
||||||
|
- rule: Write below monitored dir
|
||||||
|
desc: an attempt to write to any file below a set of binary directories
|
||||||
|
condition: >
|
||||||
|
evt.dir = < and open_write and monitored_dir
|
||||||
|
and not package_mgmt_procs
|
||||||
|
and not exe_running_docker_save
|
||||||
|
and not python_running_get_pip
|
||||||
|
and not python_running_ms_oms
|
||||||
|
output: >
|
||||||
|
File below a monitored directory opened for writing (user=%user.name
|
||||||
|
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
|
||||||
|
priority: ERROR
|
||||||
|
tags: [filesystem]
|
||||||
|
|
||||||
- list: safe_etc_dirs
|
- list: safe_etc_dirs
|
||||||
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
|
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
|
||||||
|
|
||||||
@ -677,7 +736,13 @@
|
|||||||
condition: (proc.name=httpd and fd.name startswith /etc/httpd/)
|
condition: (proc.name=httpd and fd.name startswith /etc/httpd/)
|
||||||
|
|
||||||
- macro: mysql_writing_conf
|
- macro: mysql_writing_conf
|
||||||
condition: ((proc.name=start-mysql.sh or proc.pname=start-mysql.sh) and fd.name startswith /etc/mysql)
|
condition: >
|
||||||
|
((proc.name in (start-mysql.sh, run-mysqld) or proc.pname=start-mysql.sh) and
|
||||||
|
(fd.name startswith /etc/mysql or fd.directory=/etc/my.cnf.d))
|
||||||
|
|
||||||
|
- macro: redis_writing_conf
|
||||||
|
condition: >
|
||||||
|
(proc.name=run-redis and fd.name=/etc/redis.conf)
|
||||||
|
|
||||||
- macro: openvpn_writing_conf
|
- macro: openvpn_writing_conf
|
||||||
condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)
|
condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)
|
||||||
@ -733,6 +798,7 @@
|
|||||||
and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
|
and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
|
||||||
and not fd.name pmatch (safe_etc_dirs)
|
and not fd.name pmatch (safe_etc_dirs)
|
||||||
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
|
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
|
||||||
|
and not sed_temporary_file
|
||||||
and not exe_running_docker_save
|
and not exe_running_docker_save
|
||||||
and not ansible_running_python
|
and not ansible_running_python
|
||||||
and not python_running_denyhosts
|
and not python_running_denyhosts
|
||||||
@ -754,7 +820,7 @@
|
|||||||
and not supervise_writing_status
|
and not supervise_writing_status
|
||||||
and not pki_realm_writing_realms
|
and not pki_realm_writing_realms
|
||||||
and not htpasswd_writing_passwd
|
and not htpasswd_writing_passwd
|
||||||
and not lvprogs_writing_lvm_archive
|
and not lvprogs_writing_conf
|
||||||
and not ovsdb_writing_openvswitch
|
and not ovsdb_writing_openvswitch
|
||||||
and not datadog_writing_conf
|
and not datadog_writing_conf
|
||||||
and not curl_writing_pki_db
|
and not curl_writing_pki_db
|
||||||
@ -791,6 +857,11 @@
|
|||||||
and not cockpit_writing_conf
|
and not cockpit_writing_conf
|
||||||
and not ipsec_writing_conf
|
and not ipsec_writing_conf
|
||||||
and not httpd_writing_ssl_conf
|
and not httpd_writing_ssl_conf
|
||||||
|
and not userhelper_writing_etc_security
|
||||||
|
and not pkgmgmt_progs_writing_pki
|
||||||
|
and not brandbot_writing_os_release
|
||||||
|
and not redis_writing_conf
|
||||||
|
and not openldap_writing_conf
|
||||||
|
|
||||||
- rule: Write below etc
|
- rule: Write below etc
|
||||||
desc: an attempt to write to any file below /etc
|
desc: an attempt to write to any file below /etc
|
||||||
@ -837,7 +908,8 @@
|
|||||||
or fd.name startswith /root/.dbus
|
or fd.name startswith /root/.dbus
|
||||||
or fd.name startswith /root/.composer
|
or fd.name startswith /root/.composer
|
||||||
or fd.name startswith /root/.gconf
|
or fd.name startswith /root/.gconf
|
||||||
or fd.name startswith /root/.nv)
|
or fd.name startswith /root/.nv
|
||||||
|
or fd.name startswith /root/.local/share/jupyter)
|
||||||
|
|
||||||
- rule: Write below root
|
- rule: Write below root
|
||||||
desc: an attempt to write to any file directly below / or /root
|
desc: an attempt to write to any file directly below / or /root
|
||||||
@ -847,6 +919,7 @@
|
|||||||
and not fd.directory in (known_root_directories)
|
and not fd.directory in (known_root_directories)
|
||||||
and not exe_running_docker_save
|
and not exe_running_docker_save
|
||||||
and not gugent_writing_guestagent_log
|
and not gugent_writing_guestagent_log
|
||||||
|
and not dse_writing_tmp
|
||||||
and not known_root_conditions
|
and not known_root_conditions
|
||||||
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
|
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
|
||||||
priority: ERROR
|
priority: ERROR
|
||||||
@ -872,7 +945,7 @@
|
|||||||
iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
|
iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
|
||||||
vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
|
vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
|
||||||
pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
|
pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
|
||||||
scxcimservera, adclient, rtvscand, cockpit-session
|
scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd
|
||||||
]
|
]
|
||||||
|
|
||||||
# Add conditions to this macro (probably in a separate file,
|
# Add conditions to this macro (probably in a separate file,
|
||||||
@ -918,7 +991,7 @@
|
|||||||
# Only let rpm-related programs write to the rpm database
|
# Only let rpm-related programs write to the rpm database
|
||||||
- rule: Write below rpm database
|
- rule: Write below rpm database
|
||||||
desc: an attempt to write to the rpm database by any non-rpm related program
|
desc: an attempt to write to the rpm database by any non-rpm related program
|
||||||
condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not chef_running_yum_dump
|
condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not python_running_chef
|
||||||
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
|
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
|
||||||
priority: ERROR
|
priority: ERROR
|
||||||
tags: [filesystem, software_mgmt]
|
tags: [filesystem, software_mgmt]
|
||||||
@ -940,6 +1013,9 @@
|
|||||||
- macro: rabbitmqctl_running_scripts
|
- macro: rabbitmqctl_running_scripts
|
||||||
condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")
|
condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")
|
||||||
|
|
||||||
|
- macro: run_by_appdynamics
|
||||||
|
condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics")
|
||||||
|
|
||||||
- rule: DB program spawned process
|
- rule: DB program spawned process
|
||||||
desc: >
|
desc: >
|
||||||
a database-server related program spawned a new process other than itself.
|
a database-server related program spawned a new process other than itself.
|
||||||
@ -1072,6 +1148,17 @@
|
|||||||
- macro: possibly_node_in_container
|
- macro: possibly_node_in_container
|
||||||
condition: (never_true and (proc.pname=node and proc.aname[3]=docker-containe))
|
condition: (never_true and (proc.pname=node and proc.aname[3]=docker-containe))
|
||||||
|
|
||||||
|
# Similarly, you may want to consider any shell spawned by apache
|
||||||
|
# tomcat as suspect. The famous apache struts attack (CVE-2017-5638)
|
||||||
|
# could be exploited to do things like spawn shells.
|
||||||
|
#
|
||||||
|
# However, many applications *do* use tomcat to run arbitrary shells,
|
||||||
|
# as a part of build pipelines, etc.
|
||||||
|
#
|
||||||
|
# Like for node, we make this case opt-in.
|
||||||
|
- macro: possibly_parent_java_running_tomcat
|
||||||
|
condition: (never_true and proc.pname=java and proc.pcmdline contains org.apache.catalina.startup.Bootstrap)
|
||||||
|
|
||||||
- macro: protected_shell_spawner
|
- macro: protected_shell_spawner
|
||||||
condition: >
|
condition: >
|
||||||
(proc.aname in (protected_shell_spawning_binaries)
|
(proc.aname in (protected_shell_spawning_binaries)
|
||||||
@ -1084,6 +1171,7 @@
|
|||||||
or parent_java_running_glassfish
|
or parent_java_running_glassfish
|
||||||
or parent_java_running_hadoop
|
or parent_java_running_hadoop
|
||||||
or parent_java_running_datastax
|
or parent_java_running_datastax
|
||||||
|
or possibly_parent_java_running_tomcat
|
||||||
or possibly_node_in_container)
|
or possibly_node_in_container)
|
||||||
|
|
||||||
- list: mesos_shell_binaries
|
- list: mesos_shell_binaries
|
||||||
@ -1122,11 +1210,12 @@
|
|||||||
and not redis_running_prepost_scripts
|
and not redis_running_prepost_scripts
|
||||||
and not rabbitmq_running_scripts
|
and not rabbitmq_running_scripts
|
||||||
and not rabbitmqctl_running_scripts
|
and not rabbitmqctl_running_scripts
|
||||||
|
and not run_by_appdynamics
|
||||||
and not user_shell_container_exclusions
|
and not user_shell_container_exclusions
|
||||||
output: >
|
output: >
|
||||||
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
|
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
|
||||||
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
|
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
|
||||||
gggparent=%proc.aname[4] ggggparent=%proc.aname[5])
|
aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7])
|
||||||
priority: DEBUG
|
priority: DEBUG
|
||||||
tags: [shell]
|
tags: [shell]
|
||||||
|
|
||||||
@ -1330,7 +1419,7 @@
|
|||||||
condition: >
|
condition: >
|
||||||
(fd.sockfamily = ip and system_procs)
|
(fd.sockfamily = ip and system_procs)
|
||||||
and (inbound_outbound)
|
and (inbound_outbound)
|
||||||
and not proc.name in (systemd, hostid)
|
and not proc.name in (systemd, hostid, id)
|
||||||
and not login_doing_dns_lookup
|
and not login_doing_dns_lookup
|
||||||
output: >
|
output: >
|
||||||
Known system binary sent/received network traffic
|
Known system binary sent/received network traffic
|
||||||
|
Loading…
Reference in New Issue
Block a user