Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request for Reverse DNS Lookup on Specific IP for Outbound Network Analysis #3401

Open
codechirag123 opened this issue Nov 12, 2024 · 0 comments
Open

Feature Request for Reverse DNS Lookup on Specific IP for Outbound Network Analysis #3401

codechirag123 opened this issue Nov 12, 2024 · 0 comments
Labels
kind/feature

Comments

@codechirag123
Copy link

codechirag123 commented Nov 12, 2024
edited
Loading

Motivation

WE leverage Falco's network Monitoring functionality to monitor our EKS outbound cluster to public IPs for analysing possible data leaks. With the help from community and Falco's configuration on custom rules, we're able to get the public IPs requested by each pod. An additional step to this solution, we want to view the DNS which belongs to that Public IP. Something like a reverse lookup or dig. Communicating in the community resulted that it can be possible with the development of a plugin. So this is a feature request that we would like to raise.

Feature

A plugin that would help the Falco tool to lookup/dig the DNS of the IP that is being recorded in the network analysis logs for the Kubernetes cluster with Audit events.

Additional context

This is what a log line looks like.
{"hostname":"ip-172-19-5-194.eu-west-1.compute.internal","output":"09:56:58.271613580: Warning Outbound network traffic connection from a Pod: (pod=anc-66cb96ddd9-sskkg namespace=crbs localip=172.19.5.204 remoteip=212.24.175.206 srcip=172.19.5.204 dstip=212.24.175.206 dstport=443 proto=tcp procname=node command=node --max_old_space_size=6144 --max-semi-space-size=128 ./modules/sync.run.js procpname=node connection=172.19.5.204:41554->212.24.175.206:443 clientdnsname=<NA> remotednsname=<NA> localdnsname=<NA> servername=<NA> dnsname=<NA> type=ipv4 typechar=4) container_id=896340612d3f container_image= container_image_tag= container_name=api-server k8s_ns=crbs k8s_pod_name=anc-66cb96ddd9-sskkg","output_fields":{"container.id":"896340612d3f","container.image.repository":"","container.image.tag":"app-prod-latest-alpine-18.20.2","container.name":"api-server","evt.buffer":null,"evt.time":1731405418271613580,"fd.cip":"172.19.5.204","fd.cip.name":null,"fd.l4proto":"tcp","fd.lip":"172.19.5.204","fd.lip.name":null,"fd.name":"172.19.5.204:41554->212.24.175.206:443","fd.rip":"212.24.175.206","fd.rip.name":null,"fd.sip":"212.24.175.206","fd.sip.name":null,"fd.sport":443,"fd.type":"ipv4","fd.typechar":"4","k8s.ns.name":"crbs","k8s.pod.name":"anc-66cb96ddd9-sskkg","proc.cmdline":"node --max_old_space_size=6144 --max-semi-space-size=128 ./modules/api.sync.run.js","proc.name":"node","proc.pname":"node"},"priority":"Warning","rule":"kubernetes outbound connection","source":"syscall","tags":[],"time":"2024-11-12T09:56:58.271613580Z"}

The dnsname and other fields for the address name is null because there is no feature to lookup the IPs in Falco. Also we're not sure how to use these fields or why these fields are used
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@codechirag123