Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Rules that match sequences of events and support for rules that match the type of record returned by a DNS lookup #3029

Open
Speeddymon opened this issue Jan 23, 2024 · 1 comment
Open

Feature request: Rules that match sequences of events and support for rules that match the type of record returned by a DNS lookup #3029

Speeddymon opened this issue Jan 23, 2024 · 1 comment
Labels
kind/feature
Milestone
TBD

Comments

@Speeddymon
Copy link

Motivation

I was reading https://www.bleepingcomputer.com/news/security/cracked-macos-apps-drain-wallets-using-scripts-fetched-from-dns-records/ just now and a thought occurred to me, as well as a few more while typing this out.

  1. Retrieving TXT records is an effective way for an attacker to get additional code including simple scripts or full-fledged base64 encoded binaries which could be decoded, into an already compromised system of any kind (not just limited to MacOS, but also Linux servers as well as containers running in Docker or Kubernetes) without arousing much suspicion, so I want to be able to detect when there are repeated DNS lookups for any record type other than A, MX, and NS records.
  2. Even without retrieving TXT records from DNS to download attack code, I don't want certain other types of DNS records like AAAA records being retrieved by my containers that only have an IPv4 stack available and so would never interact with IPv6 services, so I would want to detect when lookups of those records happen even once.

Feature

See above

Alternatives

Matching based on IP or name only, and you have to know the domains ahead of time in order to add them to a rule that notifies based on a list of domains, or you have to know all of the domains you talk to in order to add them to a rule that notifies based on NOT matching a list of domains, and the event has to be triggered by something already; it's not possible to match based on just the DNS lookup itself happening.

Additional context

I want to treat DNS as if DNS can't be trusted. A quick google didn't reveal any promising results for how to implement DNSSEC in a container context as a client, so I honestly think this isn't something that could be fixed at the container level. So in my mind, that means that DNS in a container should not be trusted period. Therefore, DNS lookups themselves need to generate an event in Falco that the rules can match. The default ruleset doesn't necessarily need to enable this new type of rule for all users right off the bat, which would allow time for testing and refinement over a few releases of anything implemented towards closing this issue.
@Andreagit97 Andreagit97 added this to the TBD milestone Jan 30, 2024
@rashim27us
Copy link

rashim27us commented Feb 23, 2024
edited

@Andreagit97 @Speeddymon I love to work on this feature. Please assign this feature to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
TBD
Development

No branches or pull requests
3 participants
@Speeddymon @Andreagit97 @rashim27us