Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: add signature name to event definition #3743

Merged
merged 1 commit into from Dec 21, 2023
Merged

feature: add signature name to event definition #3743

merged 1 commit into from Dec 21, 2023

Conversation

josedonizetti
Copy link
Collaborator

@josedonizetti josedonizetti commented Dec 6, 2023
edited by geyslan

Close: #3741

josedonizetti
josedonizetti commented Dec 6, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch from 3313d6f to 1eb3496 Compare December 6, 2023 19:07
@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch from 1eb3496 to 30a59ae Compare December 8, 2023 11:43
@josedonizetti
Copy link
Collaborator Author

@denisgersh Below an example of threat on the event when streaming, and one in the event definition:

Event:

{"timestamp":{"seconds":1702039071373397805},"id":6018,"name":"anti_debugging","policies":{"matched":["test"]},"context":{"process":{"entity_id":{"value":1760601237},"pid":{"value":3450284},"namespaced_pid":{"value":3450284},"real_user":{"id":{"value":1000}},"thread":{"start":{"seconds":1702039071373301549},"name":"strace","entity_id":{"value":1760601237},"tid":{"value":3450284},"namespaced_tid":{"value":3450284},"syscall":"ptrace"},"parent":{"entity_id":{"value":1531890111},"pid":{"value":3450282},"namespaced_pid":{"value":3450282}}}},"event_data":{"triggeredBy":{"Value":{"TriggeredBy":{"id":101,"name":"ptrace","data":{"args":{"Value":{"Args":{"value":[{"Value":{"Str":{"value":"PTRACE_TRACEME"}}},{"Value":{"Int32":{}}},{"Value":{"Str":{"value":"0x0"}}},{"Value":{"Str":{"value":"0x0"}}}]}}},"returnValue":{"Value":{"Int64":{}}}}}}}},"threat":{"description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","mitre":{"tactic":{"name":"defense-evasion"},"technique":{"id":"T1622","name":"Debugger Evasion"}},"severity":1,"properties":{"Kubernetes_Technique":"","id":"attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391","signatureID":"TRC-102","signatureName":"Anti-Debugging detected","test1":"test1","test2":"2"}}}

EventDefinition:

{"id":6018,"name":"anti_debugging","version":{"major":1,"patch":1},"description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","tags":["signatures","default"],"threat":{"description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","mitre":{"tactic":{"name":"defense-evasion"},"technique":{"id":"T1622","name":"Debugger Evasion"}},"severity":1,"properties":{"Kubernetes_Technique":"","id":"attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391","signatureID":"TRC-102","signatureName":"Anti-Debugging detected","test1":"test1","test2":"2"}}}

@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch from 30a59ae to 7e41175 Compare December 8, 2023 12:39
@denisgersh
Copy link

@josedonizetti,

@denisgersh Below an example of threat on the event when streaming, and one in the event definition:

Event:

{"timestamp":{"seconds":1702039071373397805},"id":6018,"name":"anti_debugging","policies":{"matched":["test"]},"context":{"process":{"entity_id":{"value":1760601237},"pid":{"value":3450284},"namespaced_pid":{"value":3450284},"real_user":{"id":{"value":1000}},"thread":{"start":{"seconds":1702039071373301549},"name":"strace","entity_id":{"value":1760601237},"tid":{"value":3450284},"namespaced_tid":{"value":3450284},"syscall":"ptrace"},"parent":{"entity_id":{"value":1531890111},"pid":{"value":3450282},"namespaced_pid":{"value":3450282}}}},"event_data":{"triggeredBy":{"Value":{"TriggeredBy":{"id":101,"name":"ptrace","data":{"args":{"Value":{"Args":{"value":[{"Value":{"Str":{"value":"PTRACE_TRACEME"}}},{"Value":{"Int32":{}}},{"Value":{"Str":{"value":"0x0"}}},{"Value":{"Str":{"value":"0x0"}}}]}}},"returnValue":{"Value":{"Int64":{}}}}}}}},"threat":{"description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","mitre":{"tactic":{"name":"defense-evasion"},"technique":{"id":"T1622","name":"Debugger Evasion"}},"severity":1,"properties":{"Kubernetes_Technique":"","id":"attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391","signatureID":"TRC-102","signatureName":"Anti-Debugging detected","test1":"test1","test2":"2"}}}

EventDefinition:

{"id":6018,"name":"anti_debugging","version":{"major":1,"patch":1},"description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","tags":["signatures","default"],"threat":{"description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","mitre":{"tactic":{"name":"defense-evasion"},"technique":{"id":"T1622","name":"Debugger Evasion"}},"severity":1,"properties":{"Kubernetes_Technique":"","id":"attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391","signatureID":"TRC-102","signatureName":"Anti-Debugging detected","test1":"test1","test2":"2"}}}

I see here in EventDefinition example that you posted that there is a duplication of the description field & its' value.
I think there is no need to duplicate it. It just increases the size of the message.
I suggest to leave it only in the Threat section.

For the id field in properties I suggest to rename it to attackID as you did with signatureID. WDYT?

BTW, the tags field contains what? Policy names or hardcoded tags or the actual tags from the signature?
Because as I see in tracee/types/detect/detect.go the SignatureMetadata struct contains tags: https://github.com/josedonizetti/tracee/blob/f949b0fff6a72617cbb30c5233ce730d8de65db6/types/detect/detect.go#L39
Looks like it currently hardcoded and not being filled with signatures' tags: https://github.com/josedonizetti/tracee/blob/f949b0fff6a72617cbb30c5233ce730d8de65db6/pkg/cmd/initialize/sigs.go#L64

denisgersh
denisgersh suggested changes Dec 8, 2023
View reviewed changes
Copy link

@denisgersh denisgersh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few suggestions/requests.

pkg/cmd/initialize/sigs.go Show resolved Hide resolved
pkg/server/grpc/tracee.go Show resolved Hide resolved
pkg/server/grpc/tracee.go Show resolved Hide resolved
@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch from 7e41175 to 35fcd10 Compare December 8, 2023 22:15
@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch 2 times, most recently from 33c87b0 to bb22872 Compare December 18, 2023 23:37
@josedonizetti
Copy link
Collaborator Author

@NDStrahilevitz @denisgersh can you review? And if you agree, I need an approve on #3742 so I can merge it and rebase this one. Thanks

NDStrahilevitz
NDStrahilevitz approved these changes Dec 19, 2023
View reviewed changes
Copy link
Collaborator

@NDStrahilevitz NDStrahilevitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NDStrahilevitz
Copy link
Collaborator

I'm approving types for merging, since I think we're fine on that front, anything missing implementation wise would be here.

@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch from bb22872 to b2992a5 Compare December 19, 2023 13:13
@josedonizetti josedonizetti marked this pull request as ready for review December 19, 2023 13:13
@NDStrahilevitz
Copy link
Collaborator

@josedonizetti rebase and we can merge

@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch 2 times, most recently from 8e1a3c8 to c4a7cd1 Compare December 19, 2023 17:22
@josedonizetti josedonizetti force-pushed the add-signature-name-event-definition branch from c4a7cd1 to 4c2218d Compare December 21, 2023 13:44
NDStrahilevitz
NDStrahilevitz approved these changes Dec 21, 2023
View reviewed changes
pkg/cmd/initialize/sigs.go
@@ -44,6 +45,8 @@ func CreateEventsFromSignatures(startId events.ID, sigs []detect.Signature) map[
evtDependency = append(evtDependency, eventDefID)
}

tags := set.New[string](append([]string{"signatures", "default"}, m.Tags...)...)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: pretty sure you can do
set.New[string]("signatures", "default", m.Tags...)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll try again, but it complained about arguments string,string,[]string

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right jsut checked myself. odd that golang wouldn't support it, it's rather intuitive...

@josedonizetti josedonizetti merged commit 56212a8 into aquasecurity:main Dec 21, 2023
30 checks passed
@josedonizetti josedonizetti deleted the add-signature-name-event-definition branch December 21, 2023 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman left review comments

@NDStrahilevitz NDStrahilevitz NDStrahilevitz approved these changes

@denisgersh denisgersh Awaiting requested review from denisgersh

Assignees

@josedonizetti josedonizetti

Labels
area/build area/ebpf area/events area/testing area/UX
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add labels map to event definition proto
4 participants
@josedonizetti @denisgersh @NDStrahilevitz @yanivagman