feat: Support for detecting outbound connection to c2 servers with FQ…

…DN domains and IP addresses. Signed-off-by: Nicolas-Peiffer <[email protected]>
falcosecurity · Oct 10, 2022 · 780dbea · 780dbea
1 parent 79d875c
commit 780dbea
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -3052,10 +3052,37 @@
 - list: c2_server_ip_list
   items: []
 
-- rule: Outbound Connection to C2 Servers
-  desc: Detect outbound connection to command & control servers
-  condition: outbound and fd.sip in (c2_server_ip_list)
-  output: Outbound connection to C2 server (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+- list: c2_server_fqdn_list
+  items: []
+
+# Use Falco HELM chart to update (append) the list with values.
+#
+#  ```yaml
+#  customRules:
+#    c2-servers-list.yaml: |-
+#      - list: c2_server_ip_list
+#        append: true
+#        items: 
+#        - "'51.178.161.32'"
+#        - "'46.101.90.205'"
+#        
+#      - list: c2_server_fqdn_list
+#        append: true
+#        items: 
+#        - "srv-web.ffconsulting.com"
+#        - "57.ip-142-44-247.net"
+#  ```
+
+- rule: Outbound Connection to C2 Servers IPs and FQDNs
+  desc: >
+    Detect outbound connection to command & control servers. For example, fetch
+    a list of IP addresses and FQDN on this website:
+    https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json.
+  condition: >
+    outbound and 
+    ((fd.sip in (c2_server_ip_list)) or
+     (fd.sip.name in (c2_server_fqdn_list)))
+  output: Outbound connection to C2 server IPs and FQDNs (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: WARNING
   tags: [network]