feat: Support for detecting outbound connection to c2 servers with FQ… #2241
Conversation
|
Welcome @Nicolas-Peiffer! It looks like this is your first PR to falcosecurity/falco 🎉 |
Nicolas-Peiffer
force-pushed
the
c2-srv-list-fqdn
branch
2 times, most recently
from
4393f71 to
59fc390
Compare
poiana
added
dco-signoff: yes
and removed
dco-signoff: no
do-not-merge/contains-merge-commits
labels
|
/milestone 0.34.0 |
rules/falco_rules.yaml
Outdated
| # - "57.ip-142-44-247.net" | ||
| # ``` | ||
|
|
||
| - rule: Outbound Connection to C2 Servers IPs and FQDNs |
There was a problem hiding this comment.
I honestly don't think we need to change the rule name since it's accurate as it is.
we can just add in the existent description that the rules match IPs and FQDN.
I would just update the rule condition as done to support fqdn as well
There was a problem hiding this comment.
Hi, I agree with your suggestions. The name of the rule can stay the same (Outbound Connection to C2 Servers), as well as the output: field.
If you prefer, I can revert to the previous rule name.
Question: I understand you prefer this
desc: Detect outbound connection to command & control servers thanks to a list of IP addresses & a list of FQDN.over this?
desc: >
Detect outbound connection to command & control servers. For example, fetch
a list of IP addresses and FQDN on this website:
https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json.I have no opinion on this one. I understand it is maybe better not to include a link to feodotracker.abuse.ch.
There was a problem hiding this comment.
@Nicolas-Peiffer I'll go with this one
desc: Detect outbound connection to command & control servers thanks to a list of IP addresses & a list of FQDN.
I feel the desc you added is more a comment for the rule so since it is actually a useful comment I think you can add it on top fo the rule as a proper comment as done in other rules. What do you think?
|
@Nicolas-Peiffer can you also pls add something in the PR section for the release note? |
poiana
added
do-not-merge/contains-merge-commits
release-note
and removed
release-note-none
labels
Nicolas-Peiffer
force-pushed
the
c2-srv-list-fqdn
branch
from
7b67fc8 to
83345fc
Compare
|
@darryk10 I updated the release note. And I cleaned my commits and modifed the rule taking into account your suggestions. |
rules/falco_rules.yaml
Outdated
| outbound and | ||
| ((fd.sip in (c2_server_ip_list)) or | ||
| (fd.sip.name in (c2_server_fqdn_list))) | ||
| output: Outbound connection to C2 server (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) |
There was a problem hiding this comment.
I think it would be also useful to print out fd.sip and fd.sip.name for troubleshooting and investigation.
WDYT?
There was a problem hiding this comment.
I did not think of it but you are right about that enhancement of the output:.
However, I am not sure what is the behaviour if there is only an IP addresse or only an FQDN: would either %fd.sip.name or %fd.sip be blank in that case?
But indeed, we can consider something like this:
output: Outbound connection to C2 server domain=%fd.sip.name addr=%fd.sip (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
or this (moving the parenthesis):
output: Outbound connection to C2 server (domain=%fd.sip.name addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
We could also be more specific by adding a prefix c2_ like this: c2_domain=%fd.sip.name c2_addr=%fd.sip .
I have no particular preference.
There was a problem hiding this comment.
I agree the option with c2_domain and c2_addr would be specific and clear so I would go in this direction.
I would also go for this output you mentioned
output: Outbound connection to C2 server (domain=%fd.sip.name addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
As far as the empty fields goes I don't think it would be a problem if left empty but if you could do a quick test to see if all makes sense from your side would be awesome.
Thanks again
There was a problem hiding this comment.
Okay no big deal with blank IP addresses or blank FQDN : falco will output <NA> if there are no values.
In the following, we can see c2_domain=<NA> c2_addr=46.101.90.205 because the rule was triggered only with the IP adress.
I am pushing the modification.
falco 18:25:57.134661204: Warning Outbound connection to C2 server (c2_domain=<NA> c2_addr=46.101.90.205 command
=curl 46.101.90.205 connection=10.42.0.7:59170->46.101.90.205:80 user=<NA> user_loginuid=-1 container_id=62513c2
df2f2 image=<NA>) k8s.ns=default k8s.pod=tmp-shell container=62513c2df2f2
…DN domains and IP addresses. Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses. doc: add comment Fixing DCO append amend Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> Revert to original C2 rule name Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> modify comments on C2 rule Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> comment Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> clean comments Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> clean comments Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> modify stdout Signed-off-by: thedetective <nicolas@lrasc.fr>
Nicolas-Peiffer
force-pushed
the
c2-srv-list-fqdn
branch
from
83345fc to
3bfb8e0
Compare
|
LGTM label has been added. Git tree hash: 5f7c82748c8021b8b6c1b7522d5284376eda23fd
|
|
Closing and reopening to trigger the CI |
|
@leogr: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@leogr: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: darryk10, jasondellaluce, leogr, Nicolas-Peiffer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…DN domains and IP addresses.
What type of PR is this?
/kind rule-update
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
This is a modification and enhancement of the Falco rule outbound connection to c2 servers. The rule was only considering IP addresses as a list of C2 servers. The rule was not considering Domain names (FQDN).
Now the rule both considers FQDN and IP address. This is espacially convenient for public list of C2 servers with both FQDN and IP addresses and that can be found on the internet, like this one:
https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json
The new outbound connection to c2 servers rules is inspired by other outbound rules like:
https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml#L392
Which issue(s) this PR fixes:
No issue.
Special notes for your reviewer:
I am not sure that there is a user-facing change. Else I would say:
Rule: Adding support for detecting outbound connection to c2 servers with both FQDN domains and IP addresses.
Does this PR introduce a user-facing change?: