mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
07b4d5a47a
In some cases the rule is not triggered when a reverse shell is spawned. That's because in the rule we are checking that the file descriptor passed as argument to the dup functions is of type socket and its fd number is "0, 1, or 2" and the event direction is "enter". The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO); But using the exit event the rule is triggered. Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>