Merge branch 'dev' into fix/webserver-errors

rules/falco_rules.yaml

@@ -2381,13 +2381,29 @@
     WARNING
   tags: [process, mitre_persistence]
 
-- rule: Delete Bash History
-  desc: Detect bash history deletion
-  condition: >
-    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
-     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+- rule: Delete or rename shell history
+  desc: Detect shell history deletion
+  condition: >
+    (modify and (
+      evt.arg.name contains "bash_history" or
+      evt.arg.name contains "zsh_history" or
+      evt.arg.name contains "fish_read_history" or
+      evt.arg.name endswith "fish_history" or
+      evt.arg.oldpath contains "bash_history" or
+      evt.arg.oldpath contains "zsh_history" or
+      evt.arg.oldpath contains "fish_read_history" or
+      evt.arg.oldpath endswith "fish_history" or
+      evt.arg.path contains "bash_history" or
+      evt.arg.path contains "zsh_history" or
+      evt.arg.path contains "fish_read_history" or
+      evt.arg.path endswith "fish_history")) or
+    (open_write and (
+      fd.name contains "bash_history" or
+      fd.name contains "zsh_history" or
+      fd.name contains "fish_read_history" or
+      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
   output: >
-    Bash history has been deleted (user=%user.name command=%proc.cmdline file=%fd.name %container.info)
+    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
   tag: [process, mitre_defense_evation]
@@ -2453,6 +2469,103 @@
     Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
   priority: NOTICE
   tags: [file, mitre_exfiltration]
+
+- list: miner_ports
+  items: [
+        25, 3333, 3334, 3335, 3336, 3357, 4444,
+        5555, 5556, 5588, 5730, 6099, 6666, 7777,
+        7778, 8000, 8001, 8008, 8080, 8118, 8333,
+        8888, 8899, 9332, 9999, 14433, 14444,
+        45560, 45700
+    ]
+
+- list: miner_domains
+  items: [
+      "asia1.ethpool.org","ca.minexmr.com",
+      "cn.stratum.slushpool.com","de.minexmr.com",
+      "eth-ar.dwarfpool.com","eth-asia.dwarfpool.com",
+      "eth-asia1.nanopool.org","eth-au.dwarfpool.com",
+      "eth-au1.nanopool.org","eth-br.dwarfpool.com",
+      "eth-cn.dwarfpool.com","eth-cn2.dwarfpool.com",
+      "eth-eu.dwarfpool.com","eth-eu1.nanopool.org",
+      "eth-eu2.nanopool.org","eth-hk.dwarfpool.com",
+      "eth-jp1.nanopool.org","eth-ru.dwarfpool.com",
+      "eth-ru2.dwarfpool.com","eth-sg.dwarfpool.com",
+      "eth-us-east1.nanopool.org","eth-us-west1.nanopool.org",
+      "eth-us.dwarfpool.com","eth-us2.dwarfpool.com",
+      "eu.stratum.slushpool.com","eu1.ethermine.org",
+      "eu1.ethpool.org","fr.minexmr.com",
+      "mine.moneropool.com","mine.xmrpool.net",
+      "pool.minexmr.com","pool.monero.hashvault.pro",
+      "pool.supportxmr.com","sg.minexmr.com",
+      "sg.stratum.slushpool.com","stratum-eth.antpool.com",
+      "stratum-ltc.antpool.com","stratum-zec.antpool.com",
+      "stratum.antpool.com","us-east.stratum.slushpool.com",
+      "us1.ethermine.org","us1.ethpool.org",
+      "us2.ethermine.org","us2.ethpool.org",
+      "xmr-asia1.nanopool.org","xmr-au1.nanopool.org",
+      "xmr-eu1.nanopool.org","xmr-eu2.nanopool.org",
+      "xmr-jp1.nanopool.org","xmr-us-east1.nanopool.org",
+      "xmr-us-west1.nanopool.org","xmr.crypto-pool.fr",
+      "xmr.pool.minergate.com"
+      ]
+
+- list: https_miner_domains
+  items: [
+    "ca.minexmr.com",
+    "cn.stratum.slushpool.com",
+    "de.minexmr.com",
+    "fr.minexmr.com",
+    "mine.moneropool.com",
+    "mine.xmrpool.net",
+    "pool.minexmr.com",
+    "sg.minexmr.com",
+    "stratum-eth.antpool.com",
+    "stratum-ltc.antpool.com",
+    "stratum-zec.antpool.com",
+    "stratum.antpool.com",
+    "xmr.crypto-pool.fr"
+  ]
+
+- list: http_miner_domains
+  items: [
+    "ca.minexmr.com",
+    "de.minexmr.com",
+    "fr.minexmr.com",
+    "mine.moneropool.com",
+    "mine.xmrpool.net",
+    "pool.minexmr.com",
+    "sg.minexmr.com",
+    "xmr.crypto-pool.fr"
+  ]
+
+# Add rule based on crypto mining IOCs
+- macro: minerpool_https
+  condition: (fd.sport="443" and fd.sip.name in (https_miner_domains))
+
+- macro: minerpool_http
+  condition: (fd.sport="80" and fd.sip.name in (http_miner_domains))
+
+- macro: minerpool_other
+  condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
+
+- macro: net_miner_pool
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+
+- rule: Detect outbound connections to common miner pool ports
+  desc: Miners typically connect to miner pools on common ports.
+  condition: net_miner_pool
+  output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
+  priority: CRITICAL
+  tags: [network, mitre_execution]
+
+- rule: Detect crypto miners using the Stratum protocol
+  desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
+  condition: spawned_process and proc.cmdline contains "stratum+tcp"
+  output: Possible miner running (command=%proc.cmdline container=%container.info image=%container.image.repository)
+  priority: CRITICAL
+  tags: [process, mitre_execution]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

test/falco_tests.yaml

@@ -123,6 +123,18 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     all_events: True
 
+  multiple_docs:
+    detect: True
+    detect_level:
+      - WARNING
+      - INFO
+      - ERROR
+    rules_file:
+      - rules/single_rule.yaml
+      - rules/double_rule.yaml
+    trace_file: trace_files/cat_write.scap
+    all_events: True
+
   rules_directory:
     detect: True
     detect_level:
@@ -435,6 +447,35 @@ trace_files: !mux
       - rules/invalid_append_macro.yaml
     trace_file: trace_files/cat_write.scap
 
+  invalid_overwrite_macro_multiple_docs:
+    exit_status: 1
+    stdout_is: |+
+      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
+      ---
+      - macro: some macro
+        condition: foo
+        append: false
+      ---
+    validate_rules_file:
+      - rules/invalid_overwrite_macro_multiple_docs.yaml
+    trace_file: trace_files/cat_write.scap
+
+  invalid_append_macro_multiple_docs:
+    exit_status: 1
+    stdout_is: |+
+      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
+      ---
+      - macro: some macro
+        condition: evt.type=execve
+
+      - macro: some macro
+        condition: foo
+        append: true
+      ---
+    validate_rules_file:
+      - rules/invalid_append_macro_multiple_docs.yaml
+    trace_file: trace_files/cat_write.scap
+
   invalid_overwrite_rule:
     exit_status: 1
     stdout_contains: |+
@@ -477,6 +518,44 @@ trace_files: !mux
       - rules/invalid_append_rule.yaml
     trace_file: trace_files/cat_write.scap
 
+  invalid_overwrite_rule_multiple_docs:
+    exit_status: 1
+    stdout_is: |+
+      Undefined macro 'bar' used in filter.
+      ---
+      - rule: some rule
+        desc: some desc
+        condition: bar
+        output: some output
+        priority: INFO
+        append: false
+      ---
+    validate_rules_file:
+      - rules/invalid_overwrite_rule_multiple_docs.yaml
+    trace_file: trace_files/cat_write.scap
+
+  invalid_append_rule_multiple_docs:
+    exit_status: 1
+    stdout_contains: |+
+      Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
+      ---
+      - rule: some rule
+        desc: some desc
+        condition: evt.type=open
+        output: some output
+        priority: INFO
+
+      - rule: some rule
+        desc: some desc
+        condition: bar
+        output: some output
+        priority: INFO
+        append: true
+      ---
+    validate_rules_file:
+      - rules/invalid_append_rule_multiple_docs.yaml
+    trace_file: trace_files/cat_write.scap
+
   invalid_missing_rule_name:
     exit_status: 1
     stdout_is: |+

test/rules/invalid_append_macro_multiple_docs.yaml

@@ -0,0 +1,8 @@
+---
+- macro: some macro
+  condition: evt.type=execve
+---
+- macro: some macro
+  condition: foo
+  append: true
+

test/rules/invalid_append_rule_multiple_docs.yaml

@@ -0,0 +1,13 @@
+---
+- rule: some rule
+  desc: some desc
+  condition: evt.type=open
+  output: some output
+  priority: INFO
+---
+- rule: some rule
+  desc: some desc
+  condition: bar
+  output: some output
+  priority: INFO
+  append: true

test/rules/invalid_overwrite_macro_multiple_docs.yaml

@@ -0,0 +1,8 @@
+---
+- macro: some macro
+  condition: evt.type=execve
+---
+- macro: some macro
+  condition: foo
+  append: false
+

test/rules/invalid_overwrite_rule_multiple_docs.yaml

@@ -0,0 +1,13 @@
+---
+- rule: some rule
+  desc: some desc
+  condition: evt.type=open
+  output: some output
+  priority: INFO
+---
+- rule: some rule
+  desc: some desc
+  condition: bar
+  output: some output
+  priority: INFO
+  append: false

test/rules/multiple_docs.yaml

@@ -0,0 +1,66 @@
+---
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- required_engine_version: 2
+
+- list: cat_binaries
+  items: [cat]
+
+- list: cat_capable_binaries
+  items: [cat_binaries]
+
+- macro: is_cat
+  condition: proc.name in (cat_capable_binaries)
+
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and is_cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
+---
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This ruleset depends on the is_cat macro defined in single_rule.yaml
+
+- rule: exec_from_cat
+  desc: A process named cat does execve
+  condition: evt.type=execve and is_cat
+  output: "An exec was seen (command=%proc.cmdline)"
+  priority: ERROR
+
+- rule: access_from_cat
+  desc: A process named cat does an access
+  condition: evt.type=access and is_cat
+  output: "An access was seen (command=%proc.cmdline)"
+  priority: INFO