From e1cb2e9bb0fa49f0efcb0be9d915f2db093aeb20 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Tue, 24 Mar 2020 11:21:34 -0700
Subject: [PATCH] rule(Detect outbound connections to common miner pool ports):
 whitelist sysdig/agent and falcosecurity/falco for query miner domain dns

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 96e059f4..8b89e5b0 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2647,11 +2647,15 @@
 - macro: net_miner_pool
   condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
+- macro: trusted_images_query_miner_domain_dns
+  condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
+  append: false
+
 # The rule is disabled by default. 
 # Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
-  condition: net_miner_pool
+  condition: net_miner_pool and not trusted_images_query_miner_domain_dns
   enabled: false
   output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL