Plugins are shared libraries that conform to a documented API, hooking into the core functionalities of Falco to allow things such as adding new event sources that can be evaluated using filtering expressions/Falco rules. Since Falco is open source, users can build plugins for just about any arbitrary 3rd party event source.
In recent blog posts, we discussed how Falco can be extended to event stream sources such as Gitlab, Salesforce and Box via the Falco Plugin architecture. But why do you need a Falco plugin for Bitcoin?
What is Bitcoin?
Bitcoin is the world’s first decentralized cryptocurrency. Based on a free-market ideology, Bitcoin was invented in 2008 by Satoshi Nakamoto. Bitcoin has been used as a currency since 2009, with the release of its open-source implementation. The Sysdig Threat Research Team (TRT) often references Bitcoin in research related to cryptojacking, which is an illegal form of cryptomining. Cryptomining is the process used to create new digital coins within a cryptocurrency system like Bitcoin.
Despite its use for buying goods and services, there are still no uniform international laws that regulate Bitcoin. Many developed countries allow Bitcoin to be used, such as the U.S., Canada, and the U.K. In several countries, including China and Saudi Arabia, it is illegal to use Bitcoin.
Track Bitcoin transactions using a Falco plugin
Falco contributor Thomas Labarussias developed this plugin as a proof of concept to showcase how Falco can be extended to monitor virtually any real-time event stream. When creating this plugin, he noticed that the site blockchain.com exposed a public flux, accessible via a websocket. By subscribing to it, you can retrieve transactions carried out on the blockchain in real time, which allows you to test the ingestion of events via a websocket. This is perfect because it will serve as a basis for other plugins.
What can the Bitcoin plugin for Falco detect?
In its initial iteration, the plugin focused on two key detection scenarios: incoming transactions to a Bitcoin wallet and outgoing transactions from a Bitcoin wallet. As with all Falco rules, detections are defined using YAML-based policies, allowing for easy customization and expansion.
- rule: New Sent transaction
desc: A new Bitcoin transaction was sent
condition: btc.transaction="sent"
output: The wallet %btc.wallet sent %btc.amount BTC to %btc.destinations in the transaction %btc.hash
priority: INFORMATIONAL
source: bitcoin
tags: [bitcoin, crypto-sent]
- rule: New Received transaction
desc: A new Bitcoin transaction was received
condition: btc.transaction="received"
output: The wallet %btc.wallet received %btc.amount BTC from %btc.sources in the transaction %btc.hash
priority: INFORMATIONAL
source: bitcoin
tags: [bitcoin, crypto-received]Code language: YAML (yaml)The rule output provides key transaction details, including the amount of Bitcoin sent, the source address, and the transaction hash, which serves as the digital record on the blockchain ledger. Falco can be launched with the preconfigured rules without requiring additional command-line flags.
sudo /usr/bin/falco -c /etc/falco/falco.yaml -r falco_rules_test.yamlCode language: YAML (yaml)Output example:
2025-01-20T13:24:45.686652000+0000: Informational The wallet bc1q28gqnp6fdxdsfjr0ddpmp9ah05awadq7tcrsre received 0.000094024 BTC from (bc<gap>cdne2eqw0y778fh4g5p7s7v4jk23l94q38rd) in the transaction f6cc0969fd63479b1926fabe7691544ed69fa7f77<gap>e0cc001cb1815579720
2025-01-20T13:24:45.686698000+0000: Informational The wallet bc<gap>galc22rz29nsme9tfmjec9vaq6sqa3lmmfwe sent 0.009396256 BTC to (14Ad6DYi7Kb3yDNyhfwb9Cb47bcV56ESQH,bc<gap>alc22rz29nsme9tfmjec9vaq6sqa3lmmfwe) in the transaction ab2097<gap>c0b0a23d8c163701d3a7128d1dd978385bb0a6e5ffe56a8140d532
2025-01-20T13:24:45.686739000+0000: Informational The wallet 14Ad6DYi7Kb3yDNyhfwb9Cb<gap>56ESQH received 0.001900000 BTC from (bc1qn2<gap>22rz29nsme9tfmjec9vaq6sqa3lmmfwe) in the transaction ab<gap>8445c0b0a23d8c163701d3a7128d1dd978385bb0a6e5ffe56a8140d532
2025-01-20T13:24:45.686786000+0000: Informational The wallet bc1qn2galc22rz29nsme9tfmjec9vaq6<gap>mmfwe received 0.007492656 BTC from (bc1qn2galc22rz29nsme9tfmjec9vaq6<gap>mmfwe) in the transaction ab20978445c0b0a23d8c163701d3a7128d1dd978385bb0a6e5ffe56a8140d532Code language: YAML (yaml)Conclusion
Designed to demonstrate Falco’s flexible plugin system, this plugin shows that you can ingest logs from different sources and generate alerts when suspicious activity occurs. With this plugin, you can monitor and alert on events like suspicious wallet movements. The plugin can be deployed via source, falcoctl, or Kubernetes Helm, and includes default rules for simplified testing and integration. Ultimately, this plugin highlights the limitless possibilities that open up with Falco’s open-source plugin architecture.