mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
a7ecbcef38
We found during testing that rules without syscall/event conditions are slower than other rules, so take a pass over the existing set of rules ensuring that whenever possible they have a condition. The changes are: - Only process executions by interactive users are monitored - Only look at connect/listen/etc for system binaries performing network activity - Only monitor process executions when monitoring user management programs. Also comment out all application rules by default so users can opt-in for the applications they use instead of getting a lot of application monitoring they may not need. Add a note stating they're all disabled by default and can be re-enabled as needed. Finally, remove some less common applications where we haven't done live testing. These 3 changes, along with those in https://github.com/draios/sysdig/pull/592, result in a significant performance increase on busy servers.
469 lines
21 KiB
YAML
469 lines
21 KiB
YAML
#############
|
|
# Definitions
|
|
#############
|
|
|
|
# File actions
|
|
|
|
|
|
# Currently disabled as read/write are ignored syscalls. The nearly
|
|
# similar open_write/open_read check for files being opened for
|
|
# reading/writing.
|
|
# - macro: write
|
|
# condition: (syscall.type=write and fd.type in (file, directory))
|
|
# - macro: read
|
|
# condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
|
|
|
|
- macro: open_write
|
|
condition: >
|
|
(evt.type=open or evt.type=openat) and
|
|
fd.typechar='f' and
|
|
(evt.arg.flags contains O_WRONLY or
|
|
evt.arg.flags contains O_RDWR or
|
|
evt.arg.flags contains O_CREAT or
|
|
evt.arg.flags contains O_TRUNC)
|
|
- macro: open_read
|
|
condition: >
|
|
(evt.type=open or evt.type=openat) and
|
|
fd.typechar='f' and
|
|
(evt.arg.flags contains O_RDONLY or
|
|
evt.arg.flags contains O_RDWR)
|
|
|
|
- macro: rename
|
|
condition: syscall.type = rename
|
|
- macro: mkdir
|
|
condition: syscall.type = mkdir
|
|
- macro: remove
|
|
condition: syscall.type in (remove, rmdir, unlink, unlink_at)
|
|
|
|
- macro: modify
|
|
condition: rename or remove
|
|
|
|
- macro: spawn_process
|
|
condition: syscall.type = execve and evt.dir=<
|
|
|
|
# File categories
|
|
- macro: terminal_file_fd
|
|
condition: fd.name=/dev/ptmx or fd.directory=/dev/pts
|
|
- macro: bin_dir
|
|
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
|
|
|
- macro: bin_dir_mkdir
|
|
condition: evt.arg[0] contains /bin/ or evt.arg[0] contains /sbin/ or evt.arg[0] contains /usr/bin/ or evt.arg[0] contains /usr/sbin/
|
|
- macro: bin_dir_rename
|
|
condition: evt.arg[1] contains /bin/ or evt.arg[1] contains /sbin/ or evt.arg[1] contains /usr/bin/ or evt.arg[1] contains /usr/sbin/
|
|
|
|
- macro: etc_dir
|
|
condition: fd.directory contains /etc
|
|
|
|
- macro: ubuntu_so_dirs
|
|
condition: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
|
|
- macro: centos_so_dirs
|
|
condition: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
|
|
- macro: linux_so_dirs
|
|
condition: ubuntu_so_dirs or centos_so_dirs or fd.name=/etc/ld.so.cache
|
|
|
|
- macro: coreutils_binaries
|
|
condition: >
|
|
proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who,
|
|
groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat,
|
|
basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf,
|
|
base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test,
|
|
comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname,
|
|
tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout,
|
|
tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred,
|
|
tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date,
|
|
chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo,
|
|
readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
|
|
- macro: adduser_binaries
|
|
condition: proc.name in (adduser, deluser, addgroup, delgroup)
|
|
- macro: login_binaries
|
|
condition: proc.name in (bin, login, su, sbin, nologin, bin, faillog, lastlog, newgrp, sg)
|
|
|
|
# dpkg -L passwd | grep bin | xargs -L 1 basename | tr "\\n" ","
|
|
- macro: passwd_binaries
|
|
condition: >
|
|
proc.name in (sbin, shadowconfig, sbin, grpck, pwunconv, grpconv, pwck,
|
|
groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
|
|
groupadd, groupdel, grpunconv, chgpasswd, userdel, bin, chage, chsh,
|
|
gpasswd, chfn, expiry, passwd, vigr, cpgr)
|
|
|
|
# repoquery -l shadow-utils | grep bin | xargs -L 1 basename | tr "\\n" ","
|
|
- macro: shadowutils_binaries
|
|
condition: >
|
|
proc.name in (chage, gpasswd, lastlog, newgrp, sg, adduser, chpasswd,
|
|
groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
|
|
newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw)
|
|
|
|
- macro: docker_binaries
|
|
condition: proc.name in (docker, exe)
|
|
|
|
- macro: http_server_binaries
|
|
condition: proc.name in (nginx, httpd, httpd-foregroun, lighttpd)
|
|
|
|
- macro: db_server_binaries
|
|
condition: proc.name in (mysqld)
|
|
|
|
- macro: server_binaries
|
|
condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd)
|
|
|
|
- macro: package_mgmt_binaries
|
|
condition: proc.name in (dpkg, rpm)
|
|
|
|
# A canonical set of processes that run other programs with different
|
|
# privileges or as a different user.
|
|
- macro: userexec_binaries
|
|
condition: proc.name in (sudo, su)
|
|
|
|
- macro: system_binaries
|
|
condition: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries
|
|
|
|
- macro: mail_binaries
|
|
condition: proc.name in (sendmail, postfix, procmail)
|
|
|
|
- macro: sensitive_files
|
|
condition: fd.name contains /etc/shadow or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf
|
|
|
|
# Indicates that the process is new. Currently detected using time
|
|
# since process was started, using a threshold of 5 seconds.
|
|
- macro: proc_is_new
|
|
condition: proc.duration <= 5000000000
|
|
|
|
# Network
|
|
- macro: inbound
|
|
condition: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
|
|
|
|
# Currently sendto is an ignored syscall, otherwise this could also check for (syscall.type=sendto and evt.dir=>)
|
|
- macro: outbound
|
|
condition: syscall.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)
|
|
|
|
- macro: ssh_port
|
|
condition: fd.lport=22
|
|
|
|
# Ssh
|
|
- macro: ssh_error_message
|
|
condition: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
|
|
|
|
# System
|
|
- macro: modules
|
|
condition: syscall.type in (delete_module, init_module)
|
|
- macro: container
|
|
condition: container.id != host
|
|
- macro: interactive
|
|
condition: (proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind
|
|
- macro: syslog
|
|
condition: fd.name = /dev/log
|
|
- macro: cron
|
|
condition: proc.name in (cron, crond)
|
|
- macro: parent_cron
|
|
condition: proc.pname in (cron, crond)
|
|
|
|
# System users that should never log into a system. Consider adding your own
|
|
# service users (e.g. 'apache' or 'mysqld') here.
|
|
- macro: system_users
|
|
condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
|
|
|
|
|
|
###############
|
|
# General Rules
|
|
###############
|
|
|
|
- rule: write_binary_dir
|
|
desc: an attempt to write to any file below a set of binary directories
|
|
condition: evt.dir = > and open_write and bin_dir
|
|
output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: write_etc
|
|
desc: an attempt to write to any file below /etc
|
|
condition: evt.dir = > and open_write and etc_dir
|
|
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: read_sensitive_file_untrusted
|
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
|
|
condition: open_read and not server_binaries and not userexec_binaries and not proc.name in (iptables, ps, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not cron and sensitive_files
|
|
output: "Sensitive file opened for reading by non-trusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: read_sensitive_file_trusted_after_startup
|
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards.
|
|
condition: open_read and server_binaries and not proc_is_new and sensitive_files
|
|
output: "Sensitive file opened for reading by trusted program after startup (user=%user.name command=%proc.cmdline file=%fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: db_program_spawn_process
|
|
desc: a database-server related program spawning a new process after startup. This shouldn\'t occur and is a follow on from some SQL injection attacks.
|
|
condition: db_server_binaries and not proc_is_new and spawn_process
|
|
output: "Database-related program spawned new process after startup (user=%user.name command=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
- rule: modify_binary_dirs
|
|
desc: an attempt to modify any file below a set of binary directories.
|
|
condition: modify and bin_dir_rename and not package_mgmt_binaries
|
|
output: "File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)"
|
|
priority: WARNING
|
|
|
|
- rule: mkdir_binary_dirs
|
|
desc: an attempt to create a directory below a set of binary directories.
|
|
condition: mkdir and bin_dir_mkdir and not package_mgmt_binaries
|
|
output: "Directory below known binary directory created (user=%user.name command=%proc.cmdline directory=%evt.arg.path)"
|
|
priority: WARNING
|
|
|
|
# Don't load shared objects coming from unexpected places
|
|
# Commenting this out for now--there are lots of shared library
|
|
# locations below /usr/lib for things like python, perl, etc. We may
|
|
# want to just add /usr/lib to the list, but that is really
|
|
# permissive.
|
|
# - condition: open_read and fd.name contains .so and not (linux_so_dirs)
|
|
# output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
|
# priority: WARNING
|
|
|
|
- rule: syscall_returns_eaccess
|
|
desc: any system call that returns EACCESS. This is not always a strong indication of a problem, hence the INFO priority.
|
|
condition: evt.res = EACCESS
|
|
output: "System call returned EACCESS (user=%user.name command=%proc.cmdline syscall=%evt.type args=%evt.args)"
|
|
priority: INFO
|
|
|
|
- rule: change_thread_namespace
|
|
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
|
|
condition: syscall.type = setns and not proc.name in (docker, sysdig, dragent)
|
|
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)"
|
|
priority: WARNING
|
|
|
|
- rule: run_shell_untrusted
|
|
desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
|
|
condition: proc.name = bash and evt.dir=< and evt.type=execve and proc.pname exists and not parent_cron and not proc.pname in (bash, sshd, sudo, docker, su, tmux, screen, emacs, systemd, flock, fs-bash, nginx, monit, supervisord)
|
|
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
# Anything run interactively by root
|
|
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
|
|
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
|
# priority: WARNING
|
|
|
|
- rule: system_user_interactive
|
|
desc: an attempt to run interactive commands by a system (i.e. non-login) user
|
|
condition: spawn_process and system_users and interactive
|
|
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
- rule: run_shell_in_container
|
|
desc: an attempt to spawn a shell by a non-shell program in a container. Container entrypoints are excluded.
|
|
condition: container and proc.name = bash and evt.dir=< and evt.type=execve and proc.pname exists and not proc.pname in (bash, docker)
|
|
output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
|
|
- rule: system_binaries_network_activity
|
|
desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
|
|
condition: (inbound or outbound) and (fd.sockfamily = ip and system_binaries)
|
|
output: "Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: ssh_error_syslog
|
|
desc: any ssh errors (failed logins, disconnects, ...) sent to syslog
|
|
condition: syslog and ssh_error_message and evt.dir = <
|
|
output: "sshd sent error message to syslog (error=%evt.buffer)"
|
|
priority: WARNING
|
|
|
|
- rule: non_sudo_setuid
|
|
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
|
|
condition: evt.type=setuid and evt.dir=> and not user.name=root and not userexec_binaries
|
|
output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)"
|
|
priority: WARNING
|
|
|
|
- rule: user_mgmt_binaries
|
|
desc: activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup.
|
|
condition: spawn_process and not proc.name in (su, sudo) and not container and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries)
|
|
output: "User management binary command run outside of container (user=%user.name command=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
|
- rule: create_files_below_dev
|
|
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
|
|
condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
|
|
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
|
|
priority: WARNING
|
|
|
|
# fs-bash is a restricted version of bash suitable for use in curl <curl> | sh installers.
|
|
- rule: installer_bash_starts_network_server
|
|
desc: an attempt by any program that is a child of fs-bash to start listening for network connections
|
|
condition: evt.type=listen and proc.aname=fs-bash
|
|
output: "Unexpected listen call by a child process of fs-bash (command=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
- rule: installer_bash_starts_session
|
|
desc: an attempt by any program that is a child of fs-bash to start a new session (process group)
|
|
condition: evt.type=setsid and proc.aname=fs-bash
|
|
output: "Unexpected setsid call by a child process of fs-bash (command=%proc.cmdline)"
|
|
priority: WARNING
|
|
|
|
###########################
|
|
# Application-Related Rules
|
|
###########################
|
|
|
|
################################################################
|
|
# By default all application-related rules are disabled for
|
|
# performance reasons. Depending on the application(s) you use,
|
|
# uncomment the corresponding rule definitions for
|
|
# application-specific activity monitoring.
|
|
################################################################
|
|
|
|
# Elasticsearch ports
|
|
- macro: elasticsearch_cluster_port
|
|
condition: fd.sport=9300
|
|
- macro: elasticsearch_api_port
|
|
condition: fd.sport=9200
|
|
- macro: elasticsearch_port
|
|
condition: elasticsearch_cluster_port or elasticsearch_api_port
|
|
|
|
# - rule: elasticsearch_unexpected_network_inbound
|
|
# desc: inbound network traffic to elasticsearch on a port other than the standard ports
|
|
# condition: user.name = elasticsearch and inbound and not elasticsearch_port
|
|
# output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: elasticsearch_unexpected_network_outbound
|
|
# desc: outbound network traffic from elasticsearch on a port other than the standard ports
|
|
# condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
|
|
# output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
|
|
# ActiveMQ ports
|
|
- macro: activemq_cluster_port
|
|
condition: fd.sport=61616
|
|
- macro: activemq_web_port
|
|
condition: fd.sport=8161
|
|
- macro: activemq_port
|
|
condition: activemq_web_port or activemq_cluster_port
|
|
|
|
# - rule: activemq_unexpected_network_inbound
|
|
# desc: inbound network traffic to activemq on a port other than the standard ports
|
|
# condition: user.name = activemq and inbound and not activemq_port
|
|
# output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: activemq_unexpected_network_outbound
|
|
# desc: outbound network traffic from activemq on a port other than the standard ports
|
|
# condition: user.name = activemq and outbound and not activemq_cluster_port
|
|
# output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
|
|
# Cassandra ports
|
|
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
|
|
- macro: cassandra_thrift_client_port
|
|
condition: fd.sport=9160
|
|
- macro: cassandra_cql_port
|
|
condition: fd.sport=9042
|
|
- macro: cassandra_cluster_port
|
|
condition: fd.sport=7000
|
|
- macro: cassandra_ssl_cluster_port
|
|
condition: fd.sport=7001
|
|
- macro: cassandra_jmx_port
|
|
condition: fd.sport=7199
|
|
- macro: cassandra_port
|
|
condition: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
|
|
|
# - rule: cassandra_unexpected_network_inbound
|
|
# desc: inbound network traffic to cassandra on a port other than the standard ports
|
|
# condition: user.name = cassandra and inbound and not cassandra_port
|
|
# output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: cassandra_unexpected_network_outbound
|
|
# desc: outbound network traffic from cassandra on a port other than the standard ports
|
|
# condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
|
|
# output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Couchdb ports
|
|
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
|
|
- macro: couchdb_httpd_port
|
|
condition: fd.sport=5984
|
|
- macro: couchdb_httpd_ssl_port
|
|
condition: fd.sport=6984
|
|
# xxx can't tell what clustering ports are used. not writing rules for this
|
|
# yet.
|
|
|
|
# Fluentd ports
|
|
- macro: fluentd_http_port
|
|
condition: fd.sport=9880
|
|
- macro: fluentd_forward_port
|
|
condition: fd.sport=24224
|
|
|
|
# - rule: fluentd_unexpected_network_inbound
|
|
# desc: inbound network traffic to fluentd on a port other than the standard ports
|
|
# condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
|
|
# output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: tdagent_unexpected_network_outbound
|
|
# desc: outbound network traffic from fluentd on a port other than the standard ports
|
|
# condition: user.name = td-agent and outbound and not fluentd_forward_port
|
|
# output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Gearman ports
|
|
# http://gearman.org/protocol/
|
|
# - rule: gearman_unexpected_network_outbound
|
|
# desc: outbound network traffic from gearman on a port other than the standard ports
|
|
# condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
|
|
# output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Zookeeper
|
|
- macro: zookeeper_port
|
|
condition: fd.sport = 2181
|
|
|
|
# Kafka ports
|
|
# - rule: kafka_unexpected_network_inbound
|
|
# desc: inbound network traffic to kafka on a port other than the standard ports
|
|
# condition: user.name = kafka and inbound and fd.sport != 9092
|
|
# output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Memcached ports
|
|
# - rule: memcached_unexpected_network_inbound
|
|
# desc: inbound network traffic to memcached on a port other than the standard ports
|
|
# condition: user.name = memcached and inbound and fd.sport != 11211
|
|
# output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: memcached_network_outbound
|
|
# desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
|
|
# condition: user.name = memcached and outbound
|
|
# output: "Unexpected Memcached outbound connection (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
|
|
# MongoDB ports
|
|
- macro: mongodb_server_port
|
|
condition: fd.sport = 27017
|
|
- macro: mongodb_shardserver_port
|
|
condition: fd.sport = 27018
|
|
- macro: mongodb_configserver_port
|
|
condition: fd.sport = 27019
|
|
- macro: mongodb_webserver_port
|
|
condition: fd.sport = 28017
|
|
|
|
# - rule: mongodb_unexpected_network_inbound
|
|
# desc: inbound network traffic to mongodb on a port other than the standard ports
|
|
# condition: user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
|
|
# output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# MySQL ports
|
|
# - rule: mysql_unexpected_network_inbound
|
|
# desc: inbound network traffic to mysql on a port other than the standard ports
|
|
# condition: user.name = mysql and inbound and fd.sport != 3306
|
|
# output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: http_server_unexpected_network_inbound
|
|
# desc: inbound network traffic to a http server program on a port other than the standard ports
|
|
# condition: http_server_binaries and inbound and fd.sport != 80 and fd.sport != 443
|
|
# output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|