Add new rule attach-bpf-to-socket-on-linux.yml (#922)

* Add new rule attach-bpf-to-socket-on-linux.yml --------- Co-authored-by: Willi Ballenthin <[email protected]>
mandiant · Aug 14, 2024 · 99e100d · 99e100d
1 parent 0e2500f
commit 99e100d
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/communication/socket/attach-bpf-to-socket-on-linux.yml b/communication/socket/attach-bpf-to-socket-on-linux.yml
@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: attach BPF to socket on Linux
+    namespace: communication/socket
+    authors:
+      - [email protected]
+    scopes:
+      static: basic block
+      dynamic: call
+    att&ck:
+      - Persistence::Traffic Signaling::Socket Filters [T1205.002]
+    mbc:
+      - Communication::Socket Communication::Set Socket Config [C0001.001]
+    references:
+      - https://www.kernel.org/doc/Documentation/networking/filter.txt
+    examples:
+      - 34dbc85ed0386e024c724c7969e8d0ff0ff0b1882508ea259c458d59657a1971
+  features:
+    - and:
+      - os: linux
+      - api: setsockopt
+      - number: 1 = SOL_SOCKET
+      - number: 26 = SO_ATTACH_FILTER