From fdcd7bffd0a8e8412013d5089a8e47f09c46f45a Mon Sep 17 00:00:00 2001
From: Shay Berkovich <sberkovich@blackberry.com>
Date: Wed, 13 Oct 2021 11:13:49 +0300
Subject: [PATCH] rule update(Detect crypto miners using the Stratum protocol):
 update protocols Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com>
 Co-authored-by: Meera Balsara <mbalsara@blackberry.com>

---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 6953ecd3..e8a74fda 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2820,7 +2820,7 @@
 
 - rule: Detect crypto miners using the Stratum protocol
   desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
-  condition: spawned_process and proc.cmdline contains "stratum+tcp"
+  condition: spawned_process and (proc.cmdline contains "stratum+tcp" or proc.cmdline contains "stratum2+tcp" or proc.cmdline contains "stratum+ssl" or proc.cmdline contains "stratum2+ssl")
   output: Possible miner running (command=%proc.cmdline container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [process, mitre_execution]