refactor(rules): Remove inbound/outbound network macros

rabbitstack · rabbitstack · commit a0b088e7a323 · 2026-02-16T18:52:24.000+01:00
Removes inbound/outbound network
macros from the rule and switches to
using only the connect socket event.
diff --git a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml
@@ -22,6 +22,10 @@ condition: >
     |(load_untrusted_executable and module.path imatches startup_locations) or
      (load_executable and ps.name in script_interpreters and ps.cmdline imatches startup_locations)
     |
-    |((inbound_network) or (outbound_network)) and ps.cmdline imatches startup_locations|
+    |connect_socket and
+     ps.cmdline imatches startup_locations and
+     net.dip != 0.0.0.0 and net.dip not in ('0:0:0:0:0:0:0:1', '::1') and
+     not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')
+    |
 
 min-engine-version: 3.0.0
