Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

disable cryptomining rule by default; add exception of localhost and … #1061

Merged
merged 2 commits into from
Mar 4, 2020

Conversation

Kaizhe
Copy link
Contributor

@Kaizhe Kaizhe commented Feb 25, 2020

…rfc1918 ip addresses

Signed-off-by: kaizhe [email protected]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area examples

/area rules

/area integrations

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

  1. Disable rule Detect outbound connections to common miner pool ports
  2. Add localhost and RFC1918 addresses as exception in the rule.

Special notes for your reviewer:
Heard complaints about falco sends out DNS lookup request to resolve miner domain which trigger alerts in cloud environment. We may want to disable this rule by default. And let user to decide to turn it on or not.

Also address FP that from localhost or RFC1918 ip addresses.

Does this PR introduce a user-facing change?:

rule(Detect outbound connections to common miner pool ports): disabled by default
rule(macro net_miner_pool): add localhost and RFC1918 addresses as exception in the rule.

Signed-off-by: kaizhe <[email protected]>
Copy link
Member

@leodido leodido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Need to only adjust the release-note block according to rule rules

@poiana
Copy link
Contributor

poiana commented Mar 3, 2020

LGTM label has been added.

Git tree hash: 25b473db4634e526390fb4f9a3055affa1646123

@poiana poiana added the approved label Mar 3, 2020
@poiana
Copy link
Contributor

poiana commented Mar 4, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 4a8d8a0 into master Mar 4, 2020
@poiana poiana deleted the kh_disable-mining-rule branch March 4, 2020 08:28
@leodido
Copy link
Member

leodido commented Mar 10, 2020

/milestone 0.21.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants