signature: use socket_dup event instead of dup(s) syscalls in stdio_over_socket.go

roikol · rafaeldtinoco · commit bb5bb075100c · 2022-10-20T22:55:13.000-03:00
diff --git a/signatures/golang/export.go b/signatures/golang/export.go
@@ -5,7 +5,7 @@ import "github.com/aquasecurity/tracee/types/detect"
 // ExportedSignatures fulfills the goplugins contract required by the rule-engine
 // this is a list of signatures that this plugin exports
 var ExportedSignatures = []detect.Signature{
-	&stdioOverSocket{},
+	&StdioOverSocket{},
 	&K8sApiConnection{},
 	&AslrInspection{},
 	&DroppedExecutable{},
diff --git a/signatures/golang/stdio_over_socket_test.go b/signatures/golang/stdio_over_socket_test.go
@@ -187,7 +187,7 @@ func TestStdioOverSocket(t *testing.T) {
 			Findings: map[string]detect.Finding{},
 		},
 		{
-			Name: "should not trigger detection - socket_dup legit port",
+			Name: "should not trigger detection - socket_dup wrong FD",
 			Events: []trace.Event{
 				{
 					EventName: "socket_dup",
@@ -198,6 +198,29 @@ func TestStdioOverSocket(t *testing.T) {
 							},
 							Value: int32(3),
 						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "remote_addr",
+							},
+							Value: map[string]string{"sa_family": "AF_INET", "sin_port": "53", "sin_addr": "10.225.0.2"},
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - socket_dup legit port",
+			Events: []trace.Event{
+				{
+					EventName: "socket_dup",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "newfd",
+							},
+							Value: int32(1),
+						},
 						{
 							ArgMeta: trace.ArgMeta{
 								Name: "remote_addr",
