Skip to content

Commit

Permalink
Update Rules-examples.md
Browse files Browse the repository at this point in the history
  • Loading branch information
gustavo-iniguez-goya authored Jun 11, 2024
1 parent f31f2ce commit 6529dc2
Showing 1 changed file with 32 additions and 3 deletions.
35 changes: 32 additions & 3 deletions wiki/Rules-examples.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,43 @@ targets ports 5551, 5552, 5553, 5554 OR 5555.
[x] From this User ID: ^(0|115|118)$
```

**Blocking connections made by executables launched from /tmp**
**Blocking connections initiated by executables launched from /tmp*, /var/tmp or /dev/shm*
---

```
Action: Deny
[x] From this executable: /tmp/.*
Action: Deny
[x] From this executable: ^(/tmp/|/var/tmp/|/dev/shm/).*
```

**Blocking connections initiated by executables with certain environment variables (LD_PRELOAD for example)*
---
Note: This feature cannot configured from the GUI yet (11/06/2024)

Block outbound connections initiated by executables with certain environment variables, like when LD_PRELOAD is used maliciously:

`~ $ LD_PRELOAD=/tmp/backdoor.so sshd 1.2.3.4 443`

```json
{
"created": "2024-05-31T23:39:28+02:00",
"updated": "2024-05-31T23:39:28+02:00",
"name": "000-block-ld-preload",
"description": "",
"action": "reject",
"duration": "always",
"enabled": true,
"precedence": true,
"nolog": false
"operator": {
"operand": "process.env.LD_PRELOAD",
"data": "^(\\.|/).*",
"type": "regexp",
"sensitive": false
}
}

```

**Filtering an executable path with regexp, for example any python binary in /usr/bin/**
---

Expand Down

0 comments on commit 6529dc2

Please sign in to comment.