search

chainguard-dev / malcontent

the subtle malware scanner
Apache License 2.0
420 stars 28 forks source link

probable false: net/ddos in datadog-agent-oci-compat-7.54 (synflood) #289

Closed tstromberg closed 3 months ago

tstromberg commented 4 months ago 
packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-fentry-debug.o [🚨 CRITICAL]
---------------------------------------------------------------------------------
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------
egibs commented 4 months ago

After a bit of xxd wrangling:

000334a0: 0110010001100101 0110011001100101 0111001001011111 0110000101100011 0110001101100101 0111000001110100 0000000001110011 0111100101101110 0110011001101100 0110111101101111 0110010001011111 0111011101100001 0111001001101110 0110010101100100 0000000001111001 0110111101110101  defer_accept.synflood_warned.you

We can add a not for this 👍🏻

tstromberg commented 4 months ago

I'm still seeing this with wolfi datadog packages & bincapz 0.13.2:

/home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tcp-queue-length-debug.o [
🚨 CRITICAL]
---------------------------------------------------------------------------------
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------

/home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tcp-queue-length.o [🚨 CRIT
ICAL]
---------------------------------------------------------------------------------
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------

/home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-debug.o [🚨 CRITICAL
]
---------------------------------------------------------------------------------
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------

/home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-fentry-debug.o [🚨 C
RITICAL]
---------------------------------------------------------------------------------
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------

/home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-fentry.o [🚨 CRITICA
L]
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------

/home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer.o [🚨 CRITICAL]
---------------------------------------------------------------------------------
RISK  KEY       DESCRIPTION                                            EVIDENCE  
---------------------------------------------------------------------------------
CRIT  net/ddos  Performs DDoS (distributed denial of service) attacks  synflood  
---------------------------------------------------------------------------------

We should take one of these samples and stick it in the Linux/clean directory. Based on this, my guess is we can add synflood_warned to the exceptions list:

% strings /home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer.o |grep synflood
synflood_warned
egibs commented 4 months ago

Looks like synflood_warned works:


/bincapz # go run . --min-level 3 /opt/datadog-agent/embedded/share/system-probe/ebpf/
/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/conntrack.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/offsetguess-test.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/oom-kill.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/runtime-security.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/shared-libraries.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/tcp-queue-length.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/tracer.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime/usm.c [🔥 HIGH]
------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                       EVIDENCE
------------------------------------------------------------------------------------
HIGH  kernel/symbol/lookup  access unexported kernel symbols  kallsyms_lookup_name
------------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-fentry.o [🚨 CRITICAL]
-----------------------------------------------------------------------------------
RISK  KEY                        DESCRIPTION                             EVIDENCE
-----------------------------------------------------------------------------------
CRIT  evasion/fake/process/name  Pretends to be a kworker kernel thread  kworker
-----------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-syscall-wrapper.o [🚨 CRITICAL]
-----------------------------------------------------------------------------------
RISK  KEY                        DESCRIPTION                             EVIDENCE
-----------------------------------------------------------------------------------
CRIT  evasion/fake/process/name  Pretends to be a kworker kernel thread  kworker
-----------------------------------------------------------------------------------

/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security.o [🚨 CRITICAL]
-----------------------------------------------------------------------------------
RISK  KEY                        DESCRIPTION                             EVIDENCE
-----------------------------------------------------------------------------------
CRIT  evasion/fake/process/name  Pretends to be a kworker kernel thread  kworker
-----------------------------------------------------------------------------------
/bincapz # go run . --min-level 1 /bincapz/samples/Linux/clean/tracer.o.aarch64
/bincapz/samples/Linux/clean/tracer.o.aarch64 [⚠️ MEDIUM]
------------------------------------------------------------------------------------------------------------------
RISK  KEY                               DESCRIPTION                                          EVIDENCE
------------------------------------------------------------------------------------------------------------------
LOW   kernel/acct                       switch process accounting on or off                  acct
LOW   net/ip/multicast/send             send data to multiple nodes simultaneously           multicast
LOW   net/socket/listen                 listen on a socket                                   accept
                                                                                             listen
                                                                                             socket
LOW   net/socket/receive                receive a message from a socket                      recvmsg
LOW   net/socket/send                   send a message to a socket                           sendmsg
MED   combo/recon/system_network        invasive recon val                                   ip6h.daddr
                                                                                             ip6h.saddr
                                                                                             ip_dynaddr
                                                                                             iph.daddr
                                                                                             iph.saddr
MED   databases/mysql                   accesses MySQL databases                             mysql
MED   net/bpf                           BPF (Berkeley Packet Filter)                         bpf
MED   net/http/post                     submit content to websites                           HTTP
                                                                                             POST
                                                                                             http
MED   net/stat                          Uses 'netstat' for network information               netstats
MED   net/syncookie                     references SYN cookies, used to resist DoS attacks   syncookie
MED   ref/ip_port                       mentions an IP and port                              add_port
                                                                                             dev_port
                                                                                             dsa_port
                                                                                             encap_port
                                                                                             func_ip
                                                                                             garp_port
                                                                                             if_port
                                                                                             local_port
                                                                                             …
MED   ref/words/heartbeat               references a 'heartbeat' - often used by background  tx_heartbeat_errors
                                        daemons
MED   security_controls/linux/iptables  interacts with the iptables/nftables firewall        nftables
------------------------------------------------------------------------------------------------------------------