Resolving Domain Names in Falco Rules

How and related fields work


This section explains how to use the field and the related fd.{clr} fields in the default falco ruleset. For example:

- list: https_miner_domains
  items: [

## Add rule based on crypto mining IOCs
- macro: minerpool_https
  condition: ("443" and in (https_miner_domains))

The field and the related fd.{clr} fields behave differently than the other fields in the falco ruleset. See the following to learn more.

Resolve Domains First, Match IPs Later

When a rule contains a field fd.*, the domain names on the right hand side of the comparison (The in or in (, are saved internally within the falco engine. The engine looks up the A records for those domains immediately and saves the set of returned IPs internally. This behavior prevents stalling the system call event loop to perform a blocking time-consuming DNS lookup at the time of the system call event.

Later, when a system call event is matched against the condition in the filter, the actual IP address associated with the system call event (the server IP for, the client IP for, etc) is compared against the previously looked up set of IPs for the domain name. The actual IP is compared against the set of resolved IPs, based on the comparison operator (=/!=/in, perhaps with a preceding not, etc) and results in a true/false result.

Here's an example. If a rule contains a predicate evt.type=connect and, the engine resolves the domain to a set of IPs (say,, at the time the rules are loaded. Later, if a connect system call occurs (say to, the server side of the connection is compared against that set of IPs. Since the actual IP is in the set of IPs for the domain, the rule snippet resolves to true.

The right hand side of a predicate can be in e.g. in (, In this case, the set of IPs for both domains are resolved and held. A later system call event will compare a given IP to the set of IPs for both sets of domains.

How Falco Engine Refreshes Domain/IP Mappings

The actual lookup of domains is done on a separate thread, to avoid stalling the main system call event loop. Additionally, the set of IPs for the domain is refreshed periodically, with the following strategy:

  • Domain names have a base refresh time of 10 seconds.
  • If after a refresh cycle the IP addresses haven't changed, the refresh timeout for that domain name is doubled until 320 seconds (~5mins).

There are a few caveats related to the use of fd.* fields that should be considered when writing Falco Rules.

The Right-Hand Side Must Be a Resolvable Domain Name

Since the right hand side of the predicate (e.g. the part of is used to perform a DNS lookup at the time the rules are loaded, it must be a resolvable domain name. As a result, it's not possible to use domain substrings in conjunction with comparison operators like startswith/endswith/contains/etc. e.g. contains Also, the falco engine must be able to resolve domain names in order for rules using fd.* fields to return accurate results.

Using fd.* Fields in Outputs

The fields fd.* can be used in rule outputs, but they will return meaningful values only when the actual IP for the system call event matches one of the IPs associated with the domain name for the field. For example, the following rule will display a meaningful output for, as the rule condition has a positive comparison for a field:

- rule: Connect to Yahoo
  desc: Detect Connects to IPs
  condition: evt.type=connect and
  output: Some connect to yahoo (command=%proc.cmdline
  priority: INFO

In contrast, this rule will never display a meaningful output for, as the comparison uses a negative match:

- rule: Connect to Anything but Yahoo
  desc: Detect Connects to anything other than IPs
  condition: evt.type=connect and!
  output: Some connect to something other than yahoo (command=%proc.cmdline
  priority: INFO

The rule can match a given connect to an IP like, which is outside the known IPs and generate an alert, but the value for will be blank. (The full connection information is still available in, though.)

Limited Comparison Operators

Although the falco rules systax supports a fairly wide set of comparison operators for IPs, including contains, the only allowed operators for fd.* fields are =/!=/in, with an optional preceding not.