mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on https://github.com/draios/falco/issues/308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on https://github.com/draios/sysdig/pull/1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.