Skip to content

Commit

Permalink
updated falco rules files
Browse files Browse the repository at this point in the history
Signed-off-by: h4l0gen <[email protected]>
  • Loading branch information
h4l0gen committed Mar 22, 2024
1 parent a0edc56 commit f9bee5f
Showing 1 changed file with 25 additions and 24 deletions.
49 changes: 25 additions & 24 deletions rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,8 @@

- macro: splunk_running_forwarder
condition: >
(proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
(proc.pname=splunkd and proc.cmdline startswith
"sh -c /opt/splunkforwarder")
- macro: perl_running_plesk
condition: >
Expand Down Expand Up @@ -389,29 +390,29 @@
System directories like /etc are typically accessed via absolute paths.
Access patterns outside of this (here path traversal) can be regarded as
suspicious. This rule includes failed file open attempts.
condition: >
(
open_read or open_file_failed
)
and (
etc_dir or user_ssh_directory or
fd.name startswith /root/.ssh or
fd.name contains "id_rsa"
)
and directory_traversal
and not proc.pname in (shell_binaries)
enabled: true
output: Read monitored file via directory traversal
(file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty %container.info)
priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
T1555]
condition: >
(
open_read or open_file_failed
)
and (
etc_dir or user_ssh_directory or
fd.name startswith /root/.ssh or
fd.name contains "id_rsa"
)
and directory_traversal
and not proc.pname in (shell_binaries)
enabled: true
output: Read monitored file via directory traversal
(file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty %container.info)
priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
T1555]
- macro: cmp_cp_by_passwd
condition: (proc.name in (cmp, cp) and proc.pname in (passwd, run-parts))
Expand Down

0 comments on commit f9bee5f

Please sign in to comment.