cleanup(rules): graduate 'Disallowed SSH Connection Non Standard Port…

…' to maturity_stable Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Sep 14, 2023 · 4e61a8c · 4e61a8c
1 parent 37005e8
commit 4e61a8c
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 24 deletions.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -1162,30 +1162,6 @@
   priority: NOTICE
   tags: [maturity_incubating, container, network, process, mitre_command_and_control, TA0011]
 
-- list: ssh_non_standard_ports
-  items: [80, 8080, 88, 443, 8443, 53, 4444]
-
-- macro: ssh_non_standard_ports_network
-  condition: (fd.sport in (ssh_non_standard_ports))
-
-- rule: Disallowed SSH Connection Non Standard Port
-  desc: > 
-    Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential 
-    to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from 
-    the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against 
-    any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. 
-    We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port 
-    configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or 
-    "Disallowed SSH Connection" rule.
-  condition: > 
-    outbound 
-    and proc.exe endswith ssh 
-    and fd.l4proto=tcp 
-    and ssh_non_standard_ports_network
-  output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
-  priority: NOTICE
-  tags: [maturity_incubating, host, container, network, process, mitre_execution, T1059]
-
 - list: docker_binaries
   items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]
 

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1186,3 +1186,40 @@
   output: Executing binary not part of base image (proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: CRITICAL
   tags: [maturity_stable, container, process, mitre_persistence, TA0003, PCI_DSS_11.5.1]
+
+# RFC1918 addresses were assigned for private network usage
+- list: rfc_1918_addresses
+  items: ['"10.0.0.0/8"', '"172.16.0.0/12"', '"192.168.0.0/16"']
+
+- macro: outbound
+  condition: >
+    (((evt.type = connect and evt.dir=<) or
+      (evt.type in (sendto,sendmsg) and evt.dir=< and
+       fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
+     (fd.typechar = 4 or fd.typechar = 6) and
+     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
+     (evt.rawres >= 0 or evt.res = EINPROGRESS))
+
+- list: ssh_non_standard_ports
+  items: [80, 8080, 88, 443, 8443, 53, 4444]
+
+- macro: ssh_non_standard_ports_network
+  condition: (fd.sport in (ssh_non_standard_ports))
+
+- rule: Disallowed SSH Connection Non Standard Port
+  desc: > 
+    Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential 
+    to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from 
+    the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against 
+    any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. 
+    We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port 
+    configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or 
+    "Disallowed SSH Connection" rule.
+  condition: > 
+    outbound 
+    and proc.exe endswith ssh 
+    and fd.l4proto=tcp 
+    and ssh_non_standard_ports_network
+  output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
+  priority: NOTICE
+  tags: [maturity_stable, host, container, network, process, mitre_execution, T1059]