mirror of
https://github.com/falcosecurity/falco.git
synced 2025-06-29 16:17:32 +00:00
Change rule names to be human readable.
Given the prior test, change all rule names to be human readable. This is especially important for the agent integration as they are visible.
This commit is contained in:
Mark Stemm
parent
81a145fd4f
commit
da77df142f
@ -183,7 +183,7 @@
|
|||||||
# General Rules
|
# General Rules
|
||||||
###############
|
###############
|
||||||
|
|
||||||
- rule: write_binary_dir
|
- rule: Write below binary dir
|
||||||
desc: an attempt to write to any file below a set of binary directories
|
desc: an attempt to write to any file below a set of binary directories
|
||||||
condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
|
condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
|
||||||
output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
|
output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
|
||||||
@ -196,51 +196,51 @@
|
|||||||
and not proc.pname in (sysdigcloud_binaries)
|
and not proc.pname in (sysdigcloud_binaries)
|
||||||
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
|
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
|
||||||
|
|
||||||
- rule: write_etc
|
- rule: Write below etc
|
||||||
desc: an attempt to write to any file below /etc, not in a pipe installer session
|
desc: an attempt to write to any file below /etc, not in a pipe installer session
|
||||||
condition: write_etc_common and not proc.sname=fbash
|
condition: write_etc_common and not proc.sname=fbash
|
||||||
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
|
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
# Within a fbash session, the severity is lowered to INFO
|
# Within a fbash session, the severity is lowered to INFO
|
||||||
- rule: write_etc_installer
|
- rule: Write below etc in installer
|
||||||
desc: an attempt to write to any file below /etc, in a pipe installer session
|
desc: an attempt to write to any file below /etc, in a pipe installer session
|
||||||
condition: write_etc_common and proc.sname=fbash
|
condition: write_etc_common and proc.sname=fbash
|
||||||
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) within pipe installer session"
|
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) within pipe installer session"
|
||||||
priority: INFO
|
priority: INFO
|
||||||
|
|
||||||
- rule: read_sensitive_file_trusted_after_startup
|
- rule: Read sensitive file trusted after startup
|
||||||
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards.
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards.
|
||||||
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
|
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
|
||||||
output: "Sensitive file opened for reading by trusted program after startup (user=%user.name command=%proc.cmdline file=%fd.name)"
|
output: "Sensitive file opened for reading by trusted program after startup (user=%user.name command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: read_sensitive_file_untrusted
|
- rule: Read sensitive file untrusted
|
||||||
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
|
||||||
condition: sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, shell_binaries, sshd) and not proc.cmdline contains /usr/bin/mandb
|
condition: sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, shell_binaries, sshd) and not proc.cmdline contains /usr/bin/mandb
|
||||||
output: "Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name)"
|
output: "Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
# Only let rpm-related programs write to the rpm database
|
# Only let rpm-related programs write to the rpm database
|
||||||
- rule: write_rpm_database
|
- rule: Write below rpm database
|
||||||
desc: an attempt to write to the rpm database by any non-rpm related program
|
desc: an attempt to write to the rpm database by any non-rpm related program
|
||||||
condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (rpm,rpmkey,yum)
|
condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (rpm,rpmkey,yum)
|
||||||
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
|
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: db_program_spawned_process
|
- rule: DB program spawned process
|
||||||
desc: a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks.
|
desc: a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks.
|
||||||
condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries)
|
condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries)
|
||||||
output: "Database-related program spawned process other than itself (user=%user.name program=%proc.cmdline parent=%proc.pname)"
|
output: "Database-related program spawned process other than itself (user=%user.name program=%proc.cmdline parent=%proc.pname)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: modify_binary_dirs
|
- rule: Modify binary dirs
|
||||||
desc: an attempt to modify any file below a set of binary directories.
|
desc: an attempt to modify any file below a set of binary directories.
|
||||||
condition: bin_dir_rename and modify and not package_mgmt_procs
|
condition: bin_dir_rename and modify and not package_mgmt_procs
|
||||||
output: "File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)"
|
output: "File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: mkdir_binary_dirs
|
- rule: Mkdir binary dirs
|
||||||
desc: an attempt to create a directory below a set of binary directories.
|
desc: an attempt to create a directory below a set of binary directories.
|
||||||
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
|
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
|
||||||
output: "Directory below known binary directory created (user=%user.name command=%proc.cmdline directory=%evt.arg.path)"
|
output: "Directory below known binary directory created (user=%user.name command=%proc.cmdline directory=%evt.arg.path)"
|
||||||
@ -256,19 +256,19 @@
|
|||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# Temporarily disabling this rule as it's tripping over https://github.com/draios/sysdig/issues/598
|
# Temporarily disabling this rule as it's tripping over https://github.com/draios/sysdig/issues/598
|
||||||
# - rule: syscall_returns_eaccess
|
# - rule: Syscall returns eaccess
|
||||||
# desc: any system call that returns EACCESS. This is not always a strong indication of a problem, hence the INFO priority.
|
# desc: any system call that returns EACCESS. This is not always a strong indication of a problem, hence the INFO priority.
|
||||||
# condition: evt.res = EACCESS
|
# condition: evt.res = EACCESS
|
||||||
# output: "System call returned EACCESS (user=%user.name command=%proc.cmdline syscall=%evt.type args=%evt.args)"
|
# output: "System call returned EACCESS (user=%user.name command=%proc.cmdline syscall=%evt.type args=%evt.args)"
|
||||||
# priority: INFO
|
# priority: INFO
|
||||||
|
|
||||||
- rule: change_thread_namespace
|
- rule: Change thread namespace
|
||||||
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
|
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
|
||||||
condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter)
|
condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter)
|
||||||
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)"
|
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: run_shell_untrusted
|
- rule: Run shell untrusted
|
||||||
desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
|
desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
|
||||||
condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose)
|
condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose)
|
||||||
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
||||||
@ -279,20 +279,20 @@
|
|||||||
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
- rule: system_user_interactive
|
- rule: System user interactive
|
||||||
desc: an attempt to run interactive commands by a system (i.e. non-login) user
|
desc: an attempt to run interactive commands by a system (i.e. non-login) user
|
||||||
condition: spawned_process and system_users and interactive
|
condition: spawned_process and system_users and interactive
|
||||||
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
|
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: run_shell_in_container
|
- rule: Run shell in container
|
||||||
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
||||||
condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl)
|
condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl)
|
||||||
output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
|
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
|
||||||
- rule: system_procs_network_activity
|
- rule: System procs network activity
|
||||||
desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
|
desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
|
||||||
condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound)
|
condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound)
|
||||||
output: "Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name)"
|
output: "Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name)"
|
||||||
@ -301,46 +301,46 @@
|
|||||||
# With the current restriction on system calls handled by falco
|
# With the current restriction on system calls handled by falco
|
||||||
# (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
|
# (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
|
||||||
# trigger).
|
# trigger).
|
||||||
# - rule: ssh_error_syslog
|
# - rule: Ssh error in syslog
|
||||||
# desc: any ssh errors (failed logins, disconnects, ...) sent to syslog
|
# desc: any ssh errors (failed logins, disconnects, ...) sent to syslog
|
||||||
# condition: syslog and ssh_error_message and evt.dir = <
|
# condition: syslog and ssh_error_message and evt.dir = <
|
||||||
# output: "sshd sent error message to syslog (error=%evt.buffer)"
|
# output: "sshd sent error message to syslog (error=%evt.buffer)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
|
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
|
||||||
- rule: non_sudo_setuid
|
- rule: Non sudo setuid
|
||||||
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
|
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
|
||||||
condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau)
|
condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau)
|
||||||
output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)"
|
output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: user_mgmt_binaries
|
- rule: User mgmt binaries
|
||||||
desc: activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup.
|
desc: activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup.
|
||||||
condition: spawned_process and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo) and not container and not proc.pname in (cron_binaries, systemd, run-parts)
|
condition: spawned_process and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo) and not container and not proc.pname in (cron_binaries, systemd, run-parts)
|
||||||
output: "User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname)"
|
output: "User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
||||||
- rule: create_files_below_dev
|
- rule: Create files below dev
|
||||||
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
|
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
|
||||||
condition: fd.directory = /dev and (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and proc.name != blkid and not fd.name in (/dev/null,/dev/stdin,/dev/stdout,/dev/stderr,/dev/tty)
|
condition: fd.directory = /dev and (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and proc.name != blkid and not fd.name in (/dev/null,/dev/stdin,/dev/stdout,/dev/stderr,/dev/tty)
|
||||||
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
|
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
# fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
|
# fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
|
||||||
- rule: installer_bash_starts_network_server
|
- rule: Installer bash starts network server
|
||||||
desc: an attempt by a program in a pipe installer session to start listening for network connections
|
desc: an attempt by a program in a pipe installer session to start listening for network connections
|
||||||
condition: evt.type=listen and proc.sname=fbash
|
condition: evt.type=listen and proc.sname=fbash
|
||||||
output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
|
output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: installer_bash_starts_session
|
- rule: Installer bash starts session
|
||||||
desc: an attempt by a program in a pipe installer session to start a new session
|
desc: an attempt by a program in a pipe installer session to start a new session
|
||||||
condition: evt.type=setsid and proc.sname=fbash
|
condition: evt.type=setsid and proc.sname=fbash
|
||||||
output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
|
output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: installer_bash_non_https_connection
|
- rule: Installer bash non https connection
|
||||||
desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port
|
desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port
|
||||||
condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53)
|
condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53)
|
||||||
output: "Outbound connection on non-http(s) port by a process in a fbash session (command=%proc.cmdline connection=%fd.name)"
|
output: "Outbound connection on non-http(s) port by a process in a fbash session (command=%proc.cmdline connection=%fd.name)"
|
||||||
@ -353,7 +353,7 @@
|
|||||||
# Notice when processes try to run chkconfig/systemctl.... to install a service.
|
# Notice when processes try to run chkconfig/systemctl.... to install a service.
|
||||||
# Note: this is not a WARNING, as you'd expect some service management
|
# Note: this is not a WARNING, as you'd expect some service management
|
||||||
# as a part of doing the installation.
|
# as a part of doing the installation.
|
||||||
- rule: installer_bash_manages_service
|
- rule: Installer bash manages service
|
||||||
desc: an attempt by a program in a pipe installer session to manage a system service (systemd/chkconfig)
|
desc: an attempt by a program in a pipe installer session to manage a system service (systemd/chkconfig)
|
||||||
condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash
|
condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash
|
||||||
output: "Service management program run by process in a fbash session (command=%proc.cmdline)"
|
output: "Service management program run by process in a fbash session (command=%proc.cmdline)"
|
||||||
@ -362,7 +362,7 @@
|
|||||||
# Notice when processes try to run any package management binary within a fbash session.
|
# Notice when processes try to run any package management binary within a fbash session.
|
||||||
# Note: this is not a WARNING, as you'd expect some package management
|
# Note: this is not a WARNING, as you'd expect some package management
|
||||||
# as a part of doing the installation
|
# as a part of doing the installation
|
||||||
- rule: installer_bash_runs_pkgmgmt
|
- rule: Installer bash runs pkgmgmt program
|
||||||
desc: an attempt by a program in a pipe installer session to run a package management binary
|
desc: an attempt by a program in a pipe installer session to run a package management binary
|
||||||
condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash
|
condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash
|
||||||
output: "Package management program run by process in a fbash session (command=%proc.cmdline)"
|
output: "Package management program run by process in a fbash session (command=%proc.cmdline)"
|
||||||
@ -387,13 +387,13 @@
|
|||||||
- macro: elasticsearch_port
|
- macro: elasticsearch_port
|
||||||
condition: elasticsearch_cluster_port or elasticsearch_api_port
|
condition: elasticsearch_cluster_port or elasticsearch_api_port
|
||||||
|
|
||||||
# - rule: elasticsearch_unexpected_network_inbound
|
# - rule: Elasticsearch unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to elasticsearch on a port other than the standard ports
|
# desc: inbound network traffic to elasticsearch on a port other than the standard ports
|
||||||
# condition: user.name = elasticsearch and inbound and not elasticsearch_port
|
# condition: user.name = elasticsearch and inbound and not elasticsearch_port
|
||||||
# output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# - rule: elasticsearch_unexpected_network_outbound
|
# - rule: Elasticsearch unexpected network outbound traffic
|
||||||
# desc: outbound network traffic from elasticsearch on a port other than the standard ports
|
# desc: outbound network traffic from elasticsearch on a port other than the standard ports
|
||||||
# condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
|
# condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
|
||||||
# output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
|
# output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
|
||||||
@ -408,13 +408,13 @@
|
|||||||
- macro: activemq_port
|
- macro: activemq_port
|
||||||
condition: activemq_web_port or activemq_cluster_port
|
condition: activemq_web_port or activemq_cluster_port
|
||||||
|
|
||||||
# - rule: activemq_unexpected_network_inbound
|
# - rule: Activemq unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to activemq on a port other than the standard ports
|
# desc: inbound network traffic to activemq on a port other than the standard ports
|
||||||
# condition: user.name = activemq and inbound and not activemq_port
|
# condition: user.name = activemq and inbound and not activemq_port
|
||||||
# output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# - rule: activemq_unexpected_network_outbound
|
# - rule: Activemq unexpected network outbound traffic
|
||||||
# desc: outbound network traffic from activemq on a port other than the standard ports
|
# desc: outbound network traffic from activemq on a port other than the standard ports
|
||||||
# condition: user.name = activemq and outbound and not activemq_cluster_port
|
# condition: user.name = activemq and outbound and not activemq_cluster_port
|
||||||
# output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
|
# output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
|
||||||
@ -436,13 +436,13 @@
|
|||||||
- macro: cassandra_port
|
- macro: cassandra_port
|
||||||
condition: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
condition: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
||||||
|
|
||||||
# - rule: cassandra_unexpected_network_inbound
|
# - rule: Cassandra unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to cassandra on a port other than the standard ports
|
# desc: inbound network traffic to cassandra on a port other than the standard ports
|
||||||
# condition: user.name = cassandra and inbound and not cassandra_port
|
# condition: user.name = cassandra and inbound and not cassandra_port
|
||||||
# output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# - rule: cassandra_unexpected_network_outbound
|
# - rule: Cassandra unexpected network outbound traffic
|
||||||
# desc: outbound network traffic from cassandra on a port other than the standard ports
|
# desc: outbound network traffic from cassandra on a port other than the standard ports
|
||||||
# condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
|
# condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
|
||||||
# output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
|
# output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
|
||||||
@ -463,13 +463,13 @@
|
|||||||
- macro: fluentd_forward_port
|
- macro: fluentd_forward_port
|
||||||
condition: fd.sport=24224
|
condition: fd.sport=24224
|
||||||
|
|
||||||
# - rule: fluentd_unexpected_network_inbound
|
# - rule: Fluentd unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to fluentd on a port other than the standard ports
|
# desc: inbound network traffic to fluentd on a port other than the standard ports
|
||||||
# condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
|
# condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
|
||||||
# output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# - rule: tdagent_unexpected_network_outbound
|
# - rule: Tdagent unexpected network outbound traffic
|
||||||
# desc: outbound network traffic from fluentd on a port other than the standard ports
|
# desc: outbound network traffic from fluentd on a port other than the standard ports
|
||||||
# condition: user.name = td-agent and outbound and not fluentd_forward_port
|
# condition: user.name = td-agent and outbound and not fluentd_forward_port
|
||||||
# output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
|
# output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
|
||||||
@ -477,7 +477,7 @@
|
|||||||
|
|
||||||
# Gearman ports
|
# Gearman ports
|
||||||
# http://gearman.org/protocol/
|
# http://gearman.org/protocol/
|
||||||
# - rule: gearman_unexpected_network_outbound
|
# - rule: Gearman unexpected network outbound traffic
|
||||||
# desc: outbound network traffic from gearman on a port other than the standard ports
|
# desc: outbound network traffic from gearman on a port other than the standard ports
|
||||||
# condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
|
# condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
|
||||||
# output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
|
# output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
|
||||||
@ -488,20 +488,20 @@
|
|||||||
condition: fd.sport = 2181
|
condition: fd.sport = 2181
|
||||||
|
|
||||||
# Kafka ports
|
# Kafka ports
|
||||||
# - rule: kafka_unexpected_network_inbound
|
# - rule: Kafka unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to kafka on a port other than the standard ports
|
# desc: inbound network traffic to kafka on a port other than the standard ports
|
||||||
# condition: user.name = kafka and inbound and fd.sport != 9092
|
# condition: user.name = kafka and inbound and fd.sport != 9092
|
||||||
# output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# Memcached ports
|
# Memcached ports
|
||||||
# - rule: memcached_unexpected_network_inbound
|
# - rule: Memcached unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to memcached on a port other than the standard ports
|
# desc: inbound network traffic to memcached on a port other than the standard ports
|
||||||
# condition: user.name = memcached and inbound and fd.sport != 11211
|
# condition: user.name = memcached and inbound and fd.sport != 11211
|
||||||
# output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# - rule: memcached_network_outbound
|
# - rule: Memcached unexpected network outbound traffic
|
||||||
# desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
|
# desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
|
||||||
# condition: user.name = memcached and outbound
|
# condition: user.name = memcached and outbound
|
||||||
# output: "Unexpected Memcached outbound connection (connection=%fd.name)"
|
# output: "Unexpected Memcached outbound connection (connection=%fd.name)"
|
||||||
@ -518,20 +518,20 @@
|
|||||||
- macro: mongodb_webserver_port
|
- macro: mongodb_webserver_port
|
||||||
condition: fd.sport = 28017
|
condition: fd.sport = 28017
|
||||||
|
|
||||||
# - rule: mongodb_unexpected_network_inbound
|
# - rule: Mongodb unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to mongodb on a port other than the standard ports
|
# desc: inbound network traffic to mongodb on a port other than the standard ports
|
||||||
# condition: user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
|
# condition: user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
|
||||||
# output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# MySQL ports
|
# MySQL ports
|
||||||
# - rule: mysql_unexpected_network_inbound
|
# - rule: Mysql unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to mysql on a port other than the standard ports
|
# desc: inbound network traffic to mysql on a port other than the standard ports
|
||||||
# condition: user.name = mysql and inbound and fd.sport != 3306
|
# condition: user.name = mysql and inbound and fd.sport != 3306
|
||||||
# output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
|
||||||
# priority: WARNING
|
# priority: WARNING
|
||||||
|
|
||||||
# - rule: http_server_unexpected_network_inbound
|
# - rule: HTTP server unexpected network inbound traffic
|
||||||
# desc: inbound network traffic to a http server program on a port other than the standard ports
|
# desc: inbound network traffic to a http server program on a port other than the standard ports
|
||||||
# condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
|
# condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
|
||||||
# output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
|
# output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user