Add sendto/recvfrom in inbound/outbound macros

Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052.
falcosecurity · Feb 2, 2018 · e9286e6 · e9286e6
1 parent 5ea4ad0
commit e9286e6
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -289,12 +289,16 @@
 
 # Network
 - macro: inbound
-  condition: ((evt.type=listen and evt.dir=>) or (evt.type=accept and evt.dir=<))
+  condition: >
+    ((evt.type in (accept,listen) and evt.dir=<) or
+     (evt.type in (recvfrom,recvmsg) and fd.l4proto = udp and fd.name_changed=true) and
+      (fd.typechar = 4 or fd.typechar = 6))
 
-# Currently sendto is an ignored syscall, otherwise this could also
-# check for (evt.type=sendto and evt.dir=>)
 - macro: outbound
-  condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)
+  condition: >
+    ((evt.type = connect and evt.dir=<) or
+     (evt.type in (sendto,sendmsg) and fd.l4proto = udp and fd.name_changed=true) and
+     (fd.typechar = 4 or fd.typechar = 6))
 
 - macro: ssh_port
   condition: fd.lport=22