diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index 46c5d90f..b33a3bcc 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -21,8 +21,8 @@ const ( var R1000ExecFromMaliciousSourceDescriptor = RuleDescriptor{ ID: R1000ID, Name: R1000Name, - Description: "Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self", - Priority: RulePriorityCritical, + Description: "Detecting exec calls that are from malicious source like: /dev/shm, /proc/self", + Priority: RulePriorityMed, Tags: []string{"exec", "signature"}, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.ExecveEventType}, @@ -61,8 +61,6 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType var maliciousExecPathPrefixes = []string{ "/dev/shm", - "/run", - "/var/run", "/proc/self", } diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go index 701e3c7f..5345fb2f 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go @@ -59,21 +59,21 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) { t.Errorf("Expected ruleResult to be nil since exec is not malicious") } - e.Comm = "/run/run.sh" + e.Comm = "/dev/shm/run.sh" ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{}) if ruleResult == nil { t.Errorf("Expected ruleResult since exec is malicious") } - e.Comm = "./run/run.sh" + e.Comm = "./dev/shm/run.sh" ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{}) if ruleResult == nil { t.Errorf("Expected ruleResult since exec is malicious") } - e.Cwd = "/run" + e.Cwd = "/dev/shm" e.Comm = "./run.sh" ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{})