8000 Improve visibility on the `ioctl` events · Issue #1328 · falcosecurity/libs · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Improve visibility on the ioctl events #1328
New issue
New issue
Open
Open
Improve visibility on the ioctl events#1328
Labels
kind/featureNew feature or request
Milestone
 
0.22.0
@Biagio-Dipalma

Description

@Biagio-Dipalma
Biagio-Dipalma
opened on Sep 5, 2023

Motivation

This syscall can be handy to detect suspicious/malicious operations with network interfaces. To achieve this we need more details about the interface provided in the entry event: at the moment we see the memory address of the object (in the argument field).

for example, here an example of C code to set a network interface in promiscuos mode:

 ifr.ifr_flags |= IFF_PROMISC;

    if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) {
        perror("Failed to set promiscuous mode");
        close(sock);
        exit(1);
    }

this is what we see in Falco:

14:19:29.179213999: Warning IOCTL event (evt.args=fd=3(<4>) request=8913 argument=7FFE4A0E97B0  fd.type=ipv4 fd.name= fd.sockfamily=ip proc.name=set-promiscous)
14:19:29.179219373: Warning IOCTL event (evt.args=fd=3(<4>) request=8914 argument=7FFE4A0E97B0  fd.type=ipv4 fd.name= fd.sockfamily=ip proc.name=set-promiscous)

Feature

in this case we might need to update the arguments to see the flags applied to the network interface and get only the malicious/suspicious ones.

Alternatives

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0