Linux-Exploit-Detection

Linux-based vulnerabilities (CVE) exploit detection through runtime security using Falco/Osquery/Yara/Rego/Sigma

This is an experimental project to evaluate possible ways to detect exploits (CVE) in a Linux environment (HOST/Container/Cloud) using

• ebpf based - Falco Runtime Security
• Analytic + Memory based - Osquery + Yara
• Policy based - Rego + OPA/ Aquasec-Tracee
• Log based - Sigma

We were able to detect the majority of the exploits through ebpf or kprobe instrumentation by analyzing the syscalls. Both Falco and Rego approaches worked accurately in Host & Containerized environments. However, there are a few limitations in all of the above approaches, stay tuned - the blog coming out soon.

Detections available for the following CVE in the respective folders

• CVE-2022-36804 - Atlassian-Bitbucket
• CVE-2022-26134 - Atlassian-Confluence
• CVE-2021-26084 - Atlassian-Confluence
• CVE-2021-26085 - Atlassian-Confluence
• CVE-2022-26138 - Atlassian-Confluence
• CVE-2023-22515 - Atlassian-Confluence
• CVE-2022-24112 - Apache-APISIX
• CVE-2023-0669 - GoAnywhere-MFT
• CVE-2023-27350 - PaperCut
• CVE-2023-27351 - PaperCut
• CVE-2023-33246 - RocketMQ
• CVE-2022-29464 - WSO2
• CVE-2023-32007 - Apache-Spark
• CVE-2022-46169 - Cacti
• CVE-2022-24706 - CouchDB
• CVE-2021-22205 - Gitlab
• CVE-2022-44268 - ImageMagic
• CVE-2023-28432 - MinIO
• CVE-2023-32315 - Openfire
• CVE-2020-14883 - Oracle-Weblogic
• CVE-2021-2109 - Oracle-Weblogic
• CVE-2023-21839 - Oracle-Weblogic
• CVE-2022-0543 - Redis
• CVE-2022-35914 - Teclib-GLPI
• CVE-2022-26352 - dotCMS
• CVE-2023-38646 - Metabase
• CVE-2023-25826 - OpenTSDB
• CVE-2020-35476 - OpenTSDB
• CVE-2023-38633 - librsvg

More to come...

All of these detections were tested in a host & containerized environment where reproduced the exploit and captured required events. The rules in the repository can lead to performance overhead, we would suggest testing it before using it in a production environment.