Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules changes 2019 04.v6 #580

Merged
merged 2 commits into from
Apr 12, 2019
Merged

Rules changes 2019 04.v6 #580

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1ef0991
Remove netstat as a generic network program
mstemm Apr 12, 2019
5a7ae02
Rules for inbound conn sources, not outbound
mstemm Apr 12, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 20 additions & 17 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,43 +357,46 @@
condition: (never_true)

# Note that this can be either individual IPs or netmasks
- list: allowed_destination_ipaddrs
- list: allowed_outbound_destination_ipaddrs
items: ['"127.0.0.1"', '"8.8.8.8"']

- list: allowed_destination_networks
- list: allowed_outbound_destination_networks
items: ['"127.0.0.1/8"']

- list: allowed_destination_domains
- list: allowed_outbound_destination_domains
items: [google.com, www.yahoo.com]

- rule: Unexpected outbound connection destination
desc: Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names
condition: >
consider_all_outbound_conns and outbound and not
((fd.sip in (allowed_destination_ipaddrs)) or
(fd.snet in (allowed_destination_networks)) or
(fd.sip.name in (allowed_destination_domains)))
((fd.sip in (allowed_outbound_destination_ipaddrs)) or
(fd.snet in (allowed_outbound_destination_networks)) or
(fd.sip.name in (allowed_outbound_destination_domains)))
output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name)
priority: NOTICE
tags: [network]

- list: allowed_source_ipaddrs
- macro: consider_all_inbound_conns
condition: (never_true)

- list: allowed_inbound_source_ipaddrs
items: ['"127.0.0.1"']

- list: allowed_source_networks
- list: allowed_inbound_source_networks
items: ['"127.0.0.1/8"', '"10.0.0.0/8"']

- list: allowed_source_domains
- list: allowed_inbound_source_domains
items: [google.com]

- rule: Unexpected outbound connection source
desc: Detect any outbound connection from a source outside of an allowed set of ips, networks, or domain names
- rule: Unexpected inbound connection source
desc: Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names
condition: >
consider_all_outbound_conns and outbound and not
((fd.cip in (allowed_source_ipaddrs)) or
(fd.cnet in (allowed_source_networks)) or
(fd.cip.name in (allowed_source_domains)))
output: Disallowed outbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name)
consider_all_inbound_conns and inbound and not
((fd.cip in (allowed_inbound_source_ipaddrs)) or
(fd.cnet in (allowed_inbound_source_networks)) or
(fd.cip.name in (allowed_inbound_source_domains)))
output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name)
priority: NOTICE
tags: [network]

Expand Down Expand Up @@ -2082,7 +2085,7 @@
tags: [network, k8s, container, mitre_port_knocking]

- list: network_tool_binaries
items: [nc, ncat, nmap, dig, netstat, tcpdump, tshark, ngrep]
items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep]

- macro: network_tool_procs
condition: proc.name in (network_tool_binaries)
Expand Down