adding an event for disallowed_ssh_connection_non_standard_port #144
Conversation
|
TCP protocol condition is met by SSH connection, as SSH uses TCP protocol |
|
Hii @FedeDP @leogr this event triggered stable rule successfully |
| } | ||
| } | ||
| // non_standard_port : 443 | ||
| cmd := exec.Command("timeout", "1s", path, "[email protected]", "-p", "443") |
There was a problem hiding this comment.
Generally speaking, it is good practice to use example domains.
Just a doubt: will it work with localhost as well? 🤔
If so, it would be preferable, to avoid outbound traffic. Otherwise, it's ok as-is now.
There was a problem hiding this comment.
@leogr let me check..
There was a problem hiding this comment.
@leogr Its not working on localhost :)
There was a problem hiding this comment.
@FedeDP what do you think about using example.net ?
There was a problem hiding this comment.
I think localhost should work just fine; in your case it is not working because you are actually succeeding in logging in (ie: you have an ssh daemon on port 443(?))
I'd try to connect to localhost to a different port, like 4444, and see if that triggers the rule.
See https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml#L1207 for the ports that can be used.
There was a problem hiding this comment.
Uh nope, the rule triggers only for outbound connections, therefore it won't fire for localhost. See: https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml#L1223C5-L1223C13
I guess it's ok then.
|
LGTM label has been added. Git tree hash: a20a55c5c4b96b8994af375195aa17a7415357fd
|
|
@FedeDP I think branch protection rules interfered with merging this event :) |
What do you mean? |
|
Can you squash this one into a single commit and rebase on top of main? |
Signed-off-by: h4l0gen <[email protected]> final update Signed-off-by: h4l0gen <[email protected]>
|
@FedeDP please add LGTM label again. Sorry for the inconvenience :) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, h4l0gen, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM label has been added. Git tree hash: a7f834693ed0cecfc5334dbb6daff584785ef6a5
|
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area events
What this PR does / why we need it:
this triggers rule
disallowed ssh connection non standard portWhich issue(s) this PR fixes:
Fixes #142
Special notes for your reviewer: