Created
January 20, 2025 11:43
-
-
Save alonsoir/4a89e7a6e04699e7fa28eb386f45be87 to your computer and use it in GitHub Desktop.
Con esta configuración de Falco, podrás detectar y analizar intentos fraudulentos en tu sistema de códigos QR dinámicos.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # falco_rules.yaml | |
| - list: authorized_devices | |
| items: [device_1, device_2, device_3] | |
| - list: malicious_urls | |
| items: [malicious.com, phishing.com, malware.com] | |
| - rule: High Frequency QR Scans | |
| desc: Detect multiple scans of the same QR code in a short time. | |
| condition: > | |
| evt.type = execve and proc.name = "qr_scanner" and | |
| evt.dir = < and evt.rawres = 0 and | |
| evt.fields.qr_code_id != "" and | |
| count(evt.fields.qr_code_id) > 5 in 1m | |
| output: > | |
| High frequency QR code scans detected (qr_code_id=%evt.fields.qr_code_id, count=%evt.count). | |
| priority: WARNING | |
| - rule: Inconsistent Geographic Location | |
| desc: Detect QR code scans from inconsistent geographic locations. | |
| condition: > | |
| evt.type = execve and proc.name = "qr_scanner" and | |
| evt.dir = < and evt.rawres = 0 and | |
| evt.fields.qr_code_location != evt.fields.scan_location | |
| output: > | |
| Inconsistent geographic location detected (qr_code_location=%evt.fields.qr_code_location, scan_location=%evt.fields.scan_location). | |
| priority: WARNING | |
| - rule: Unauthorized Device | |
| desc: Detect QR code scans from unauthorized devices. | |
| condition: > | |
| evt.type = execve and proc.name = "qr_scanner" and | |
| evt.dir = < and evt.rawres = 0 and | |
| evt.fields.device_id not in (authorized_devices) | |
| output: > | |
| Unauthorized device detected (device_id=%evt.fields.device_id). | |
| priority: CRITICAL | |
| - rule: Expired QR Code | |
| desc: Detect attempts to scan expired QR codes. | |
| condition: > | |
| evt.type = execve and proc.name = "qr_scanner" and | |
| evt.dir = < and evt.rawres = 0 and | |
| evt.fields.qr_code_expiry < now() | |
| output: > | |
| Expired QR code scan attempted (qr_code_id=%evt.fields.qr_code_id). | |
| priority: WARNING | |
| - rule: Malicious URL Redirect | |
| desc: Detect QR code scans that redirect to malicious URLs. | |
| condition: > | |
| evt.type = execve and proc.name = "qr_scanner" and | |
| evt.dir = < and evt.rawres = 0 and | |
| evt.fields.redirect_url in (malicious_urls) | |
| output: > | |
| Malicious URL redirect detected (redirect_url=%evt.fields.redirect_url). | |
| priority: CRITICAL | |
| - rule: Bot-like Behavior | |
| desc: Detect bot-like behavior in QR code scans. | |
| condition: > | |
| evt.type = execve and proc.name = "qr_scanner" and | |
| evt.dir = < and evt.rawres = 0 and | |
| rate(evt.fields.qr_code_id) > 10 in 1s | |
| output: > | |
| Bot-like behavior detected (qr_code_id=%evt.fields.qr_code_id, rate=%evt.rate). | |
| priority: CRITICAL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment