diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 9264bfac3..57595b3fa 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -1162,30 +1162,6 @@ priority: NOTICE tags: [maturity_incubating, container, network, process, mitre_command_and_control, TA0011] -- list: ssh_non_standard_ports - items: [80, 8080, 88, 443, 8443, 53, 4444] - -- macro: ssh_non_standard_ports_network - condition: (fd.sport in (ssh_non_standard_ports)) - -- rule: Disallowed SSH Connection Non Standard Port - desc: > - Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential - to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from - the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against - any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. - We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port - configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or - "Disallowed SSH Connection" rule. - condition: > - outbound - and proc.exe endswith ssh - and fd.l4proto=tcp - and ssh_non_standard_ports_network - output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) - priority: NOTICE - tags: [maturity_incubating, host, container, network, process, mitre_execution, T1059] - - list: docker_binaries items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current] diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 17dac5484..9924427c6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1186,3 +1186,40 @@ output: Executing binary not part of base image (proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: CRITICAL tags: [maturity_stable, container, process, mitre_persistence, TA0003, PCI_DSS_11.5.1] + +# RFC1918 addresses were assigned for private network usage +- list: rfc_1918_addresses + items: ['"10.0.0.0/8"', '"172.16.0.0/12"', '"192.168.0.0/16"'] + +- macro: outbound + condition: > + (((evt.type = connect and evt.dir=<) or + (evt.type in (sendto,sendmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and + (fd.typechar = 4 or fd.typechar = 6) and + (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and + (evt.rawres >= 0 or evt.res = EINPROGRESS)) + +- list: ssh_non_standard_ports + items: [80, 8080, 88, 443, 8443, 53, 4444] + +- macro: ssh_non_standard_ports_network + condition: (fd.sport in (ssh_non_standard_ports)) + +- rule: Disallowed SSH Connection Non Standard Port + desc: > + Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential + to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from + the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against + any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. + We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port + configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or + "Disallowed SSH Connection" rule. + condition: > + outbound + and proc.exe endswith ssh + and fd.l4proto=tcp + and ssh_non_standard_ports_network + output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) + priority: NOTICE + tags: [maturity_stable, host, container, network, process, mitre_execution, T1059]