mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-20 01:17:46 +00:00
update(rules): add macro for dup syscalls
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
This commit is contained in:
Aldo Lacuku
poiana
@@ -2983,9 +2983,12 @@
|
|||||||
- macro: user_known_stand_streams_redirect_activities
|
- macro: user_known_stand_streams_redirect_activities
|
||||||
condition: (never_true)
|
condition: (never_true)
|
||||||
|
|
||||||
|
- macro: dup
|
||||||
|
condition: evt.type in (dup, dup2, dup3)
|
||||||
|
|
||||||
- rule: Redirect STDOUT/STDIN to Network Connection in Container
|
- rule: Redirect STDOUT/STDIN to Network Connection in Container
|
||||||
desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
|
desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
|
||||||
condition: evt.type in (dup, dup2, dup3) and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
|
condition: dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
|
||||||
output: >
|
output: >
|
||||||
Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
|
Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|||||||
Reference in New Issue
Block a user