search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.38k stars 902 forks source link

fd.sockfamily not triggering #67

Closed ldegio closed 8 years ago

ldegio commented 8 years ago

I added the rule at the bottom of this message to the rules.yaml file. When I do a curl, I would expect the rule to be hit multiple times. However, I don't see any alert.

mstemm commented 8 years ago

After some comparisons between falco and sysdig, I noticed that sysdig was properly setting the sockfamily while falco was not:

sysdig's output: mstemm curl ioctl fd=4(<4u>10.0.2.15:51831->8.8.8.8:domain) request=541B argument=7F400290A09C 10.0.2.15:51831->8.8.8.8:domain ip

falco's output: 22:12:51.288684019: Warning Known system binary sent/received network traffic (mstemm curl ioctl fd=4(<f>10.0.2.15:51831->8.8.8.8:53) request=541B argument=7F400290A09C 10.0.2.15:51831->8.8.8.8:53 <NA>)

The problem was that parsers do the work of setting the information about socket file descriptors, specifically sinsp_parser::parse_socket_exit(). However, falco had those events disabled for performance reasons. As a result, the socket event never filled in the information about the file descriptor, and the sockfamily (and other meta-information) wasn't being set.

Since there aren't really that many socket calls, we'll just re-enable socket events in sysdig, which will allow the information to be properly set.

mstemm commented 8 years ago

Using the head of sysdig dev branch I was able to get messages for this rule:

# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
- rule: system_binaries_network_activity
  desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
  condition: fd.sockfamily = ip
  output: "Known system binary sent/received network traffic (%user.name %proc.name %evt.type %evt.args %fd.name)"
  priority: WARNING

So this is fixed now.