packet_sockets_using_falco.yaml

- rule: raw_network_socket
  desc: an attempt to open a raw network socket by an unexpected program
  condition: evt.type=socket and evt.dir=> and evt.arg.domain=AF_PACKET and not proc.name=tcpdump
  output: Raw network socket opened by unexpected program (user=%user.name command=%proc.cmdline domain=%evt.arg.domain)
  priority: WARNING