Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

New transformer: getopt(<args>, <optstring>) #1928

Open
Tracked by #3255
leogr opened this issue Jun 20, 2024 · 5 comments
Open
Tracked by #3255

New transformer: getopt(<args>, <optstring>) #1928

leogr opened this issue Jun 20, 2024 · 5 comments
Labels
kind/feature New feature or request

Comments

@leogr
Copy link
Member

leogr commented Jun 20, 2024

Motivation

By introducing a transformer that works like the C getopt() function, rules authors can more easily match and handle POSIX command-line arguments. This addition will streamline the creation of rules involving command-line options, ensuring greater flexibility and accuracy in rule writing.

Feature

Introduce a getopt(<args>, <optstring>) transformer to handle command-line arguments, mimicking the functionality of the C getopt() function.

Usage examples:

  • (n, t) in getopt(proc.args, "nt:")
  • getopt(proc.args, "nt:")[t] = val
  • getopt(proc.args, "nt:") intersects (n, t)

Alternatives

Doing nothing and sticking with the current way of handling this does not seem a compelling alternative:

- rule: Netcat Remote Code Execution in Container
  desc: > 
    Netcat Program runs inside container that allows remote code execution and may be utilized 
    as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/.
    These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.
    Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container" 
    rule as it utilizes a different evt.type.
  condition: >
    spawned_process 
    and container 
    and ((proc.name = "nc" and (proc.cmdline contains " -e" or 
                                proc.cmdline contains " -c")) or
         (proc.name = "ncat" and (proc.args contains "--sh-exec" or 
                                  proc.args contains "--exec" or proc.args contains "-e " or
                                  proc.args contains "-c " or proc.args contains "--lua-exec"))
         )

Additional context

Design consideration: it is yet to be decided whether the getopt(<args>, <optstring>) transformer should mimic the getopt_long() function (which also accepts long options starting with two dashes) or if both getopt and getopt_long transformers should be introduced. This design choice can be deferred to the implementation stage.

References:

cc @darryk10 @loresuso
@leogr leogr added the kind/feature New feature or request label Jun 20, 2024
@leogr leogr mentioned this issue Jun 20, 2024
Open
@loresuso
Copy link
Member

I am rooting for this new feature! Unfortunately, sometimes we can't make rules precisely on a syscall, and we end up building it on the command line (proc.cmdline) which is most of the time very tricky and easily bypassable for a number of reasons:

  • sometimes we need to check whether or not a group of options was specified (let's say a b c). Some tools will allow -abc, -a -b -c or also any other combination (like -bca). Nowadays, we should enumerate all the possible sequences to detect this. (n, t) in getopt(proc.args, "nt:") would totally solve this use case.
  • sometimes we would like to use our operators (like startswith, endswith or even contains) just on the value of the option and not the whole command line. So I strongly support also implementing getopt(proc.args, "nt:")[t] = val. Not sure if it can be implemented this way due to the [] but we can certainly think about how to make it happen

Lastly, if we are going in this direction, I would say that implementing getopt_long shouldn't be that hard and will let us complete the picture of making stronger detections on command line arguments. 🎉

@poiana
Copy link
Contributor

poiana commented Sep 19, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@loresuso
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Dec 19, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member Author

leogr commented Dec 19, 2024

/remove-lifecycle stale

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leogr @loresuso @poiana