-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve rules for Docker listener #293
Conversation
Waiting for further changes by @cristgl. |
At the time, every Docker event generated matches a rule and its specific alert is triggered. This seems like a problem, as each command can generate more than one event. I have written a comment at the issue #294 where I relate the Docker command with the rule matched, the event and the alert triggered. There, it can be seen that almost every command generates more than one event, this means that, for example, for the event |
|
||
<rule id="87908" level="3"> | ||
<if_sid>87907</if_sid> | ||
<field name="docker.status">^exec_start: bash</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This condition does only catch:
- bash
- /bin/bash
- sh
- /bin/sh
- dash
- /bin/dash
Why don't we add a rule for the {
"integration": "docker",
"docker": {
"status": "pull",
"id": "centos:latest",
"Type": "image",
"Action": "pull",
"Actor": {
"ID": "centos:latest",
"Attributes": {
"name": "centos",
"org.label-schema.build-date": "20181205",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
}
},
"scope": "local",
"time": 1551182693,
"timeNano": 1551182693249997000
}
} |
Issues detected
docker exec
incorrectly triggered rules 87901 (container created) and 87903 (container started).Point (2) rationale:
docker exec
produces a log like this:Rule 87901 contains this filter:
This makes
docker exec
trigger rule 87903.Changes proposed
<field>
filters in those rules to match the exact string (instead of a substring).docker exec
).Sample alert