github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-01 22:47:46 +00:00
Code Issues Projects Releases Wiki Activity

rule update: Modify condition for raw packets creation

Browse Source 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
This commit is contained in:
Hiroki Suezawa 2019-12-04 00:20:36 +09:00 committed by Leo Di Donato
parent 8b2d4e1fe6
commit d0e6279bb2
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -2658,7 +2658,7 @@
- rule: Raw packet created in container - rule: Raw packet created in container
desc: Detect new raw packets at the device driver (OSI Layer 2) level in a container. raw packets could be used to do ARP Spoofing by attacker. desc: Detect new raw packets at the device driver (OSI Layer 2) level in a container. raw packets could be used to do ARP Spoofing by attacker.
condition: consider_raw_packet_communication and evt.type=socket and evt.arg[0] in (AF_PACKET, PF_PACKET) and container and not proc.name in (user_known_raw_packet_binaries) condition: consider_raw_packet_communication and evt.type=socket and evt.arg[0]=AF_PACKET and container and not proc.name in (user_known_raw_packet_binaries)
output: Raw packet was created in a container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) output: Raw packet was created in a container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: NOTICE priority: NOTICE
tags: [network, mitre_discovery] tags: [network, mitre_discovery]