Description
I am using the rule set from falco-incubating_rules.yaml, and try to filter out some of the irrelevant UDP traffic from the 'Unexpected UDP traffic' rule. When I try to filter on fd.net to avoid reports for traffic to and from localhost, this do not work.
This is using the RPM packages for falco version 0.39.1-1.
For reference, the rule I am trying to modify look like this:
- rule: Unexpected UDP Traffic
desc: >
Detecting UDP traffic on ports other than 53 (DNS) or other commonly used ports. Misusing UDP is a known TTP among attackers.
Monitoring unusual network activity is highly valuable but often generates significant noise, as is the case with this detection.
condition: >
inbound_outbound
and fd.l4proto=udp
and not expected_udp_traffic
output: Unexpected UDP Traffic Seen (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: NOTICE
tags: [maturity_incubating, host, container, network, mitre_exfiltration, TA0011]
I am overriding the expected_udp_traffic. This do not work as expected. I've tried to reduce it to a simple test case, to demonstrate the problem, using this simpler rule to trigger on ping packages not heading for localhost:
- rule: test_ping
desc: >
Detect UDP traffic that is not UDP ping to localhost.
Demonstrating missing fd.net value in UDP event.
condition: >
(
inbound_outbound
and fd.l4proto=udp
and proc.name=ping
and evt.dir=<
and not fd.net in ("127.0.0.0/8", "::1/128")
)
output: Unexpected UDP ping Traffic Seen (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: NOTICE
tags: [maturity_incubating, host, container, network, mitre_exfiltration, TA0011]
When I test with 'ping localhost' with this rule loaded, I get events like this in /var/log/falco.log:
{
"hostname": "mytesthost",
"output": "11:01:14.459786448: Notice Unexpected UDP ping Traffic Seen (connection=::1:47763->::1:0 lport=47763 rport=0 fd_type=ipv6 fd_proto=fd.l4proto evt_type=connect user=root user_uid=0 user_loginuid=43502 process=ping proc_exepath=/usr/bin/ping parent=bash command=ping localhost terminal=34817 exe_flags=<NA> container_id=host container_name=host)",
"output_fields": {
"container.id": "host",
"container.name": "host",
"evt.arg.flags": null,
"evt.time": 1731492074459786448,
"evt.type": "connect",
"fd.lport": 47763,
"fd.name": "::1:47763->::1:0",
"fd.rport": 0,
"fd.type": "ipv6",
"proc.cmdline": "ping localhost",
"proc.exepath": "/usr/bin/ping",
"proc.name": "ping",
"proc.pname": "bash",
"proc.tty": 34817,
"user.loginuid": 43502,
"user.name": "root",
"user.uid": 0
},
"priority": "Notice",
"rule": "test_ping",
"source": "syscall",
"tags": [
"TA0011",
"container",
"host",
"maturity_incubating",
"mitre_exfiltration",
"network"
],
"time": "2024-11-13T10:01:14.459786448Z"
}
{
"hostname": "mytesthost",
"output": "11:01:14.459836313: Notice Unexpected UDP Traffic Seen (connection=::1:45431->::1:1025 lport=45431 rport=1025 fd_type=ipv6 fd_proto=fd.l4proto evt_type=connect user=root user_uid=0 user_loginuid=43502 process=ping proc_exepath=/usr/bin/ping parent=bash command=ping localhost terminal=34817 exe_flags=<NA> container_id=host container_name=host)",
"output_fields": {
"container.id": "host",
"container.name": "host",
"evt.arg.flags": null,
"evt.time": 1731492074459836313,
"evt.type": "connect",
"fd.lport": 45431,
"fd.name": "::1:45431->::1:1025",
"fd.rport": 1025,
"fd.type": "ipv6",
"proc.cmdline": "ping localhost",
"proc.exepath": "/usr/bin/ping",
"proc.name": "ping",
"proc.pname": "bash",
"proc.tty": 34817,
"user.loginuid": 43502,
"user.name": "root",
"user.uid": 0
},
"priority": "Notice",
"rule": "Unexpected UDP Traffic",
"source": "syscall",
"tags": [
"TA0011",
"container",
"host",
"maturity_incubating",
"mitre_exfiltration",
"network"
],
"time": "2024-11-13T10:01:14.459836313Z"
}
I expected these events to be ignored, as the fd.net content should match the localhost IPv4 and IPv6 content.
Environment
-
Falco version:
Wed Nov 13 11:09:04 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
Wed Nov 13 11:09:04 2024: Falco version: 0.39.1 (x86_64)
Wed Nov 13 11:09:04 2024: Falco initialized with configuration files:
Wed Nov 13 11:09:04 2024: /etc/falco/falco.yaml | schema validation: failed for [webserver]: Object contains a property that could not be validated using 'properties' or 'additionalProperties' constraints: 'k8s_audit_endpoint'.
Wed Nov 13 11:09:04 2024: System info: Linux version 6.10.7-100.fc39.x86_64 (mockbuild@bcd4ebc81e1d4849aca2632ad651b39e) (gcc (GCC) 13.3.1 20240522 (Red Hat 13.3.1-1), GNU ld version 2.40-14.fc39) update: delete notices about chisels #1 SMP PREEMPT_DYNAMIC Fri Aug 30 00:07:39 UTC 2024
{"default_driver_version":"7.3.0+driver","driver_api_version":"8.0.0","driver_schema_version":"2.0.0","engine_version":"43","engine_version_semver":"0.43.0","falco_version":"0.39.1","libs_version":"0.18.1","plugin_api_version":"3.7.0"} -
System info:
{
"machine": "x86_64",
"nodename": "mytesthost",
"release": "6.10.7-100.fc39.x86_64",
"sysname": "Linux",
"version": "update: delete notices about chisels #1 SMP PREEMPT_DYNAMIC Fri Aug 30 00:07:39 UTC 2024"
} -
Cloud provider or hardware configuration:
libvirt VM x86_64/amd64 -
OS:
Fedora release 39 -
Kernel:
Linux mytesthost 6.10.7-100.fc39.x86_64 update: delete notices about chisels #1 SMP PREEMPT_DYNAMIC Fri Aug 30 00:07:39 UTC 2024 x86_64 GNU/Linux -
Installation method:
RPM
Activity