# A very simple config for introductory purpose. Not for the real-world!


# Network traffic to/from standard system utilities
# These utils never communicate on the network - if they do, that is a strong indication
# that something is wrong (rootkit?)
# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few.
(fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps)

# System binary is modified or new file is written to standard binary dirs
evt.type = write and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

# Shell running in container
container.id != host and proc.name = bash