-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added an event for default rule "Detect outbound connections to common miner pool ports" #176
base: main
Are you sure you want to change the base?
Conversation
…rPoolPorts Signed-off-by: GLVS Kiriti <[email protected]>
As this rule is disabled by default so I enabled it at here. And on executing event code it is producing critical priority log as expected in left terminal. And now test is also successful! |
Signed-off-by: GLVS Kiriti <[email protected]>
h.Log().Warnf("Curl is needed to launch this action") | ||
return err | ||
} | ||
cmd := exec.Command(curl, "http://mine.moneropool.com") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mmh is GETting this link safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dont have an idea about that . I executed in my system 🙃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @leogr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regardless if it's safe or not, this approach will make the action unpredictable (that worries me more).
Are there any alternative approaches that do not involve talking with external servers? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@FedeDP @leogr if we are worrying about this
Mmh is GETting this link safe?
then why cant we follow this approach i.e, let us add any example domain in the rule here, which can be used for testing purposes. So after that we can curl example.com which triggers the rule and safe to GET the request. WDYT? about this approach. IMO instead of curling the suspicious domains we can do this which will be beneficial for testing purposes
- list: http_miner_domains
items: [
"ca.minexmr.com",
"de.minexmr.com",
"fr.minexmr.com",
"mine.moneropool.com",
"mine.xmrpool.net",
"pool.minexmr.com",
"sg.minexmr.com",
"xmr.crypto-pool.fr",
"example.com" # Not a miner domain but used for testing purposes in falco
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sorry. I had lost track of this. Anyway, adding example.com
to the list does not seem a viable option to me since it may increase false positives.
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale Closing and reopening to trigger the CI |
@leogr: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@leogr: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: GLVSKiriti The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area events
What this PR does / why we need it:
Added an event for default rule "Detect outbound connections to common miner pool ports"
Which issue(s) this PR fixes:
Fixes #174
Special notes for your reviewer: