-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rules for miners should not resolve the address for the miner #835
Comments
/area rules |
Thanks for digging into this. The goal behind An easy solution might be to add a macro to enable or disable this rule, with a comment above it explaining that turning this rule will cause DNS lookups to occur for these domains. |
I like the solution you're proposing Michael. I think this improvement should be scheduled for the next release. WDYT? |
I think there might be downstream implications to this. @Kaizhe if we make this change, do you need to do anything on your side as you're a consumer of these rules with Sysdig Secure. |
ping @Kaizhe |
Yeah, this bug just generated a bit of a confusing, but fortunately short, fire drill for us. |
@sporkmonger This is keeping hitting everyone :) Everyone, not sure what we want to do with this? Maybe worth discussing at the next office hours? |
This affected us by firing some pretty high priority AWS GuardDuty alerts for We spent quite a bit of time tracking this down to the above change after isolating the source EC2 instance and destroying it. |
I just encountered this today and lost part of the day looking into it only to find that it was falco doing this. The DNS traffic was flagged by my SIEM and I spent several hours tracking it down. I like the concept of dynamically keeping the DNS names up to date so you can track malicious behavior at the IP level, but querying the DNS name inside the cluster natively is probably not the best way IMO. Is there an external source of truth we can use here that doesn't require a DNS lookup? Otherwise, this is almost like a security team Chaos Monkey, triggering fire drills for everyone ;) |
@jseadragon thanks for the input. I am thinking maybe we should disable this rule by default. Alternatively, the security team needs to find a way to dynamically update the cryptoming IP addresses before enable this rule. |
I think the near term fix should be to disable by default until a longer term resolution presents itself. There's many other good ways to get alerts for this behavior. It doesn't need to be Falco doing the alerting and if someone doesn't have good coverage for this risk, they can still optionally turn this on. Having it on by default is much more likely to create unnecessary work than it is to reveal a breach that would otherwise go undetected. Edit: GuardDuty in particular will happily alert hundreds of thousands of times for this. |
We got hit by this today as well. |
I propose to close this because #1061 has been merged in. |
/close |
@leodido: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
After starting Falco, I noticed that there was a strange DNS activity in my network towards some domains like
de.minemxr.com
.Initially this issue had been reported to me by Pi-Hole
Then I dug a bit more using wireshark and noticed this was related to falco itself.
This happens because the miners rules, use the
fd.sip.name
filtercheck that does such resolution. See here for documentation.falco/rules/falco_rules.yaml
Line 2555 in 39b5156
What you expected to happen:
The rule works without resolving the domain name for mining pools.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
While this might be technically right, it raises a warning in the eyes of any operator looking at it, in fact users already reported this kind of activity in the Falco slack, and it might seem that the machine is actually mining when it's not.
I personally felt very bad when I saw such connections in my systems, it seemed like someone hacked my workstation.
Environment:
falco --version
): 0.17.0cat /etc/os-release
):uname -a
):5.2.13-arch1-1-ARCH
The text was updated successfully, but these errors were encountered: