new(rules): add 'Disallowed SSH Connection Non Standard Port'

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Sep 7, 2023 · 01537b7 · 01537b7
1 parent 5e9bafd
commit 01537b7
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -1162,6 +1162,30 @@
   priority: NOTICE
   tags: [maturity_incubating, container, network, process, mitre_command_and_control, TA0011]
 
+- list: ssh_non_standard_ports
+  items: [80, 8080, 88, 443, 8443, 53, 4444]
+
+- macro: ssh_non_standard_ports_network
+  condition: (fd.sport in (ssh_non_standard_ports))
+
+- rule: Disallowed SSH Connection Non Standard Port
+  desc: > 
+    Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential 
+    to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from 
+    the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against 
+    any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. 
+    We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port 
+    configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or 
+    "Disallowed SSH Connection" rule.
+  condition: > 
+    outbound 
+    and proc.exe endswith ssh 
+    and fd.l4proto=tcp 
+    and ssh_non_standard_ports_network
+  output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
+  priority: NOTICE
+  tags: [maturity_incubating, host, container, network, process, mitre_execution, T1059]
+
 - list: docker_binaries
   items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]