From 9d863e8ebf85de4d09f98d69f094186a9ad6966b Mon Sep 17 00:00:00 2001 From: h4l0gen Date: Wed, 20 Mar 2024 23:41:09 +0530 Subject: [PATCH] adding an event on interpreted procs inbound network activity Signed-off-by: h4l0gen adding an event on interpreted procs inbound network activity Signed-off-by: h4l0gen commits squashed Signed-off-by: h4l0gen --- events/helper/inbound_connection.go | 63 +++++++++++++++++++ .../interpreted_inbound_network_activity.go | 28 +++++++++ 2 files changed, 91 insertions(+) create mode 100644 events/helper/inbound_connection.go create mode 100644 events/syscall/interpreted_inbound_network_activity.go diff --git a/events/helper/inbound_connection.go b/events/helper/inbound_connection.go new file mode 100644 index 00000000..d2f17435 --- /dev/null +++ b/events/helper/inbound_connection.go @@ -0,0 +1,63 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2023 The Falco Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package helper + +import ( + "fmt" + "net" + + "github.com/falcosecurity/event-generator/events" +) + +var _ = events.Register(InboundConnection) + +func InboundConnection(h events.Helper) error { + address, _ := getRandomLocalAddress() + listener, err := net.Listen("tcp", address) + if err != nil { + return err + } + fmt.Println("Server started on", address) + defer listener.Close() + fmt.Println("Server closed on", address) + return nil +} + +func getRandomLocalAddress() (string, error) { + addrs, err := net.InterfaceAddrs() + if err != nil { + return "", err + } + for _, addr := range addrs { + ipNet, ok := addr.(*net.IPNet) + if !ok { + continue + } + if ipNet.IP.IsLoopback() || ipNet.IP.IsUnspecified() { + continue + } + ip := ipNet.IP.To4() + if ip == nil { + continue + } + listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: ip}) + if err != nil { + continue + } + listener.Close() + return fmt.Sprintf("%s:%d", ip, listener.Addr().(*net.TCPAddr).Port), nil + } + return "", fmt.Errorf("no valid local address found") +} diff --git a/events/syscall/interpreted_inbound_network_activity.go b/events/syscall/interpreted_inbound_network_activity.go new file mode 100644 index 00000000..deaae373 --- /dev/null +++ b/events/syscall/interpreted_inbound_network_activity.go @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2024 The Falco Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package syscall + +import ( + "github.com/falcosecurity/event-generator/events" +) + +var _ = events.Register( + InterpretedProcsInboundNetworkActivity, + events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action +) + +func InterpretedProcsInboundNetworkActivity(h events.Helper) error { + return h.SpawnAs("lua", "helper.InboundConnection") +}