From dcb78ef80b2a9bfbcd62e443847ef3f07744f4a6 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Tue, 25 Feb 2020 13:41:59 -0800
Subject: [PATCH 1/2] disable cryptomining rule by default; add exception of
 localhost and rfc1918 ip addresses

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 75a33f154a6..b0fa34b0dae 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2627,11 +2627,12 @@
   condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 
 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
   condition: net_miner_pool
+  enabled: false
   output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [network, mitre_execution]

From c23aa42a73610ecc379389c329393f1d9f4e4b58 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Tue, 25 Feb 2020 14:14:03 -0800
Subject: [PATCH 2/2] add comments

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index b0fa34b0dae..20dd27c8918 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2629,6 +2629,8 @@
 - macro: net_miner_pool
   condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
+# The rule is disabled by default. 
+# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
   condition: net_miner_pool