False positive detection (crypto-miner IP addresses from DNS)

falcosecurity / rules

Falco rule repository

https://falcosecurity.github.io/rules/

Apache License 2.0

96 stars 69 forks source link

False positive detection (crypto-miner IP addresses from DNS) #62

Closed arudinskis closed 11 months ago

arudinskis commented 1 year ago

mine.moneropool.com DNS A and AAAA resolve to Cloudflare IP addresses. status.dpd.lt also resolves the same Cloudflare IP addresses and due to this rule Detect outbound connections to common miner pool ports is triggered false positively.

It seems that Falco resolves and periodically updates crypto-miner IP addresses from DNS. When a connect syscall occurs to one of those IP addresses it fires an alert. More details: https://falco.org/docs/rules/fd-sip-name/

Would it be possible to map a crypto miner domain with corresponding IP addresses? This way there shouldn’t be any false positives. Or are there other options on how to get rid of these false positives without creating exceptions?

incertum commented 1 year ago

Hi @arudinskis we have good news refactoring meaning a complete revamp in this regard is on the Falco Roadmap https://github.com/orgs/falcosecurity/projects/5. We may not be able to land it for Falco 0.36, because there are other competing priorities, but hopefully we have a better approach by Falco 0.37.

CC @loresuso

loresuso commented 1 year ago

Totally agree with @incertum! Things start moving in this regard!

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana commented 1 year ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana commented 11 months ago

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana commented 11 months ago

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/rules/issues/62#issuecomment-1818182168): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.