Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix egrep rule and ncat rule #617

merged 2 commits into from Jun 5, 2019


None yet
4 participants
Copy link

commented May 23, 2019

fixed the grep binaries list that had egre instead of egrep
added the ncat command line arguments -c and -e that can be used to spawn remote shells

Launching this : ncat -l localhost 4443 -e "/bin/ls"

would not match anything when running: sudo sysdig " = \"ncat\" and (proc.args contains \"--sh-exec\" or proc.args contains \"--exec\")"

using sudo sysdig " = \"ncat\" and (proc.args contains \"--sh-exec\" or proc.args contains \"--exec\" or proc.args contains \"-e\")" fixes this

fix egrep rule and ncat rule
falco-CLA-1.0-signed-off-by: Dario Martins Silva <>

@fntlnz fntlnz self-requested a review May 24, 2019

@fntlnz fntlnz added the area/rules label May 29, 2019

@fntlnz fntlnz requested review from mstemm, Kaizhe and leodido May 29, 2019

Show resolved Hide resolved rules/falco_rules.yaml Outdated
add space after arguments, add --lua-exec
falco-CLA-1.0-signed-off-by: Dario Martins Silva <>

This comment has been minimized.

Copy link

commented Jun 5, 2019

The cause of the test failures was a recent sysdig change that I fixed with #646, and not due to the rules, so I'll go ahead and merge.

@mstemm mstemm merged commit 7a56f1c into falcosecurity:dev Jun 5, 2019

1 check failed

Travis CI - Pull Request Build Failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.