github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-05 16:50:34 +00:00
Code Issues Projects Releases Wiki Activity

rule update: Add rules to detect raw packets creation

Browse Source 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
This commit is contained in:
Hiroki Suezawa
2019-12-03 03:00:35 +09:00
committed by Leo Di Donato
parent 2f8caf99cd
commit ebec520ebc
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
rules/falco_rules.yaml
View File

@@ -2646,6 +2646,24 @@
priority: WARNING priority: WARNING
tags: [container, mitre_execution] tags: [container, mitre_execution]
# This rule is not enabled by default, as there are legitimate use
# cases for raw packet. If you want to enable it, modify the
# following macro.
- macro: consider_raw_packet_creation
condition: (never_true)
- list: raw_packet_binaries
items: []
- rule: Raw packet was created in a container
desc: Detect new raw packets in a container. raw packets could be used to do ARP Spoofing by attacker.
condition: evt.type=socket and evt.arg[0]=AF_PACKET and container and not proc.name in (raw_packet_binaries)
output: Raw packet was created in a container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: NOTICE
tags: [network, mitre_discovery]
# Application rules have moved to application_rules.yaml. Please look # Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to # there if you want to enable them by adding to
# falco_rules.local.yaml. # falco_rules.local.yaml.