vicenteherrera · March 23, 2020 18:21
diff --git a/outbound_or_inbound_traffic_not_to_authorized_server_process_and_port.yaml b/outbound_or_inbound_traffic_not_to_authorized_server_process_and_port.yaml
 - rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
  desc: Detect traffic that is not to authorized server process and port.
  condition: >
    allowed_port and
    inbound_outbound and
    container and
    container.image.repository in (allowed_image) and
    not proc.name in (authorized_server_binary) and
    not fd.sport in (authorized_server_port)
  output: >
    Network connection outside authorized port and binary
    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id  image=%container.image.repository)
  priority: WARNING
  tags: [network, PCI, PCI_DSS_2.2.1]
	- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
	desc: Detect traffic that is not to authorized server process and port.
	condition: >
	allowed_port and
	inbound_outbound and
	container and
	container.image.repository in (allowed_image) and
	not proc.name in (authorized_server_binary) and
	not fd.sport in (authorized_server_port)
	output: >
	Network connection outside authorized port and binary
	(command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
	priority: WARNING
	tags: [network, PCI, PCI_DSS_2.2.1]