Skip to content

Commit

Permalink
changes according to line-length<130 and modifiers are removed
Browse files Browse the repository at this point in the history
Signed-off-by: h4l0gen <[email protected]>
  • Loading branch information
h4l0gen committed Jun 30, 2024
1 parent 1a5a515 commit 81a4b92
Show file tree
Hide file tree
Showing 4 changed files with 1,172 additions and 1,959 deletions.
157 changes: 58 additions & 99 deletions rules/falco-deprecated_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,13 @@
# The initial item in the `tags` fields reflects the maturity level of
# the rules introduced upon the proposal
# Proposal: Rules Adoption Management Maturity Framework
# URL: https://github.com/falcosecurity/rules/blob/main/
# proposals/20230605-rules-adoption-management-maturity-framework.md
# URL: https://github.com/falcosecurity/rules/blob/main/proposals/20230605-rules-adoption-management-maturity-framework.md
# `tags` fields also include information about the type of
# workload inspection (host and/or container), and Mitre Attack killchain
# phases and Mitre TTP code(s)
# Mitre Attack References:
# [1] https://attack.mitre.org/tactics/enterprise/
# [2] https://raw.githubusercontent.com/mitre/cti/master/
# enterprise-attack/enterprise-attack.json
# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

# Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default.
Expand All @@ -55,23 +53,22 @@
items: ['"10.0.0.0/8"', '"172.16.0.0/12"', '"192.168.0.0/16"']

- macro: outbound
condition: >
condition:
(((evt.type = connect and evt.dir=<) or
(evt.type in (sendto,sendmsg) and evt.dir=< and
fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and
not fd.snet in (rfc_1918_addresses)) and
(evt.rawres >= 0 or evt.res = EINPROGRESS))
(evt.type in (sendto,sendmsg) and evt.dir=< and fd.l4proto != tcp and
fd.connected=false and fd.name_changed=true)) and
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
(evt.rawres >= 0 or evt.res = EINPROGRESS))

# Very similar to inbound/outbound, but combines the tests together
# for efficiency.
- macro: inbound_outbound
condition: >
condition:
((((evt.type in (accept,accept4,listen,connect) and evt.dir=<)) and
(fd.typechar = 4 or fd.typechar = 6)) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(evt.rawres >= 0 or evt.res = EINPROGRESS))
(fd.typechar = 4 or fd.typechar = 6)) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(evt.rawres >= 0 or evt.res = EINPROGRESS))

- macro: ssh_port
condition: (fd.sport=22)
Expand All @@ -90,30 +87,22 @@
condition: (never_true)

- rule: Disallowed SSH Connection
desc: >
Detect any new SSH connection on port 22 to a host other than
those in an allowed list of hosts. This rule absolutely requires
profiling your environment beforehand. Network-based rules are extremely
crucial in any security program, as they can often provide the only
definitive evidence. However, effectively operationalizing them can be
challenging due to the potential for noise.
condition: >
desc:
Detect any new SSH connection on port 22 to a host other than those in an allowed list of hosts. This rule absolutely requires
profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often
provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for
noise.
condition:
inbound_outbound
and ssh_port
and not allowed_ssh_hosts
enabled: false
output: >
Disallowed SSH Connection
(connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name
proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline
terminal=%proc.tty %container.info)
output: Disallowed SSH Connection
(connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty %container.info)
priority: NOTICE
tags: [
maturity_deprecated, host, container, network,
mitre_latera_movement, T1021.004
]
tags: [maturity_deprecated, host, container, network, mitre_latera_movement, T1021.004]

# These rules and supporting macros are more of an example for how to
# use the fd.*ip and fd.*ip.name fields to match connection
Expand All @@ -134,32 +123,24 @@
items: [google.com, www.yahoo.com]

- rule: Unexpected outbound connection destination
desc: >
Detect any outbound connection to a destination outside of an allowed
set of ips, networks, or domain names. This rule absolutely requires
profiling your environment beforehand. Network-based rules are extremely
crucial in any security program, as they can often provide the only
definitive evidence. However, effectively operationalizing them can be
challenging due to the potential for noise.
condition: >
desc:
Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names.
This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely
crucial in any security program, as they can often provide the only definitive evidence. However, effectively
operationalizing them can be challenging due to the potential for noise.
condition:
outbound
and not ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
(fd.snet in (allowed_outbound_destination_networks)) or
(fd.sip.name in (allowed_outbound_destination_domains)))
enabled: false
output: >
Disallowed outbound connection destination
(connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid
user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
%container.info)
output: Disallowed outbound connection destination
(connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)

priority: NOTICE
tags: [
maturity_deprecated, host, container, network,
mitre_command_and_control, TA0011
]
tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011]
# Use this to test whether the event occurred within a container.
# When displaying container information in the output field, use
# %container.info, without any leading term (file=%fd.name
Expand Down Expand Up @@ -195,36 +176,25 @@
# # test again that it fires.

- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
desc: >
Detect traffic to an unauthorized server process and port within
pre-defined containers. This rule absolutely requires profiling
your environment beforehand and also necessitates adjusting the
list of containers to which this rule will be applied. The current
expression logic will never evaluate to true unless the list is
populated. Network-based rules are extremely crucial in any
security program, as they can often provide the only definitive
evidence. However, effectively operationalizing them can be
challenging due to the potential for noise. Notably, this rule is
challenging to operationalize.
condition: >
desc:
Detect traffic to an unauthorized server process and port within pre-defined containers. This rule absolutely requires
profiling your environment beforehand and also necessitates adjusting the list of containers to which this rule will be
applied. The current expression logic will never evaluate to true unless the list is populated. Network-based rules are
extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively
operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize.
condition:
inbound_outbound
and container
and container.image.repository in (allowed_image)
and not proc.name in (authorized_server_binary)
and not fd.sport in (authorized_server_port)
enabled: false
output: >
Network connection outside authorized port and binary
(connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name
proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline
terminal=%proc.tty %container.info)
output: Network connection outside authorized port and binary
(connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty %container.info)
priority: WARNING
tags: [
maturity_deprecated, container, network, mitre_discovery, TA0011,
NIST_800-53_CM-7
]
tags: [maturity_deprecated, container, network, mitre_discovery, TA0011, NIST_800-53_CM-7]

- list: c2_server_ip_list
items: []
Expand All @@ -233,31 +203,20 @@
items: []

- rule: Outbound Connection to C2 Servers
desc: >
Detect outbound connections to command and control servers using a list
of IP addresses and fully qualified domain names (FQDNs). This rule
absolutely requires profiling your environment beforehand and also
necessitates adjusting the template lists. The current expression logic
will never evaluate to true unless the lists are populated. Network-based
rules are extremely crucial in any security program, as they can often
provide the only definitive evidence.However, effectively operationalizing
them can be challenging due to the potential for noise. Notably, this rule
is challenging to operationalize.
condition: >
desc:
Detect outbound connections to command and control servers using a list of IP addresses and fully qualified domain names
(FQDNs). This rule absolutely requires profiling your environment beforehand and also necessitates adjusting the template
lists. The current expression logic will never evaluate to true unless the lists are populated. Network-based rules are
extremely crucial in any security program, as they can often provide the only definitive evidence.However, effectively
operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize.
condition:
outbound
and ((fd.sip in (c2_server_ip_list)) or
(fd.sip.name in (c2_server_fqdn_list)))
output: >
Outbound connection to C2 server
(c2_domain=%fd.sip.name c2_addr=%fd.sip
connection=%fd.name lport=%fd.lport rport=%fd.rport
fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty %container.info)
output: Outbound connection to C2 server
(c2_domain=%fd.sip.name c2_addr=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
priority: WARNING
enabled: false
tags: [
maturity_deprecated, host, container, network,
mitre_command_and_control, TA0011
]
tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011]
Loading

0 comments on commit 81a4b92

Please sign in to comment.