Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional rules #364

Merged
merged 2 commits into from
May 3, 2018
Merged

Conditional rules #364

merged 2 commits into from
May 3, 2018

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented May 2, 2018

Changes to allow rules to refer to filterchecks that may not be present in the version of sysdig used by falco.
This fixes #345.

mstemm added 2 commits May 2, 2018 11:31
Add the ability to skip a rule if its condition refers to a filtercheck
that doesn't exist. This allows defining a rules file that contains new
conditions that can still has limited backward compatibility with older
falco versions.

When compiling a filter, return a list of filtercheck names that are
present in the ast (which also includes filterchecks from any
macros). This set of filtercheck names is matched against the set of
filterchecks known to sinsp, expressed as lua patterns, and in the
global table defined_filters. If no match is found, the rule loader
throws an error.

The pattern changes slightly depending on whether the filter has
arguments or not. Two filters (proc.apid/proc.aname) can work with or
without arguments, so both styles of patterns are used.

If the rule has an attribute "skip-if-unknown-filter", the rule will be
skipped instead.
New unit test for skipping unknown filter. Test cases:

 - A rule that refers to an unknown filter results in an error.
 - A rule that refers to an unknown filter, but has
   "skip-if-unknown-filter: true", can be read, but doesn't match any events.
 - A rule that refers to an unknown filter, but has
   "skip-if-unknown-filter: false", returns an error.

Also test the case of a filtercheck like evt.arg.xxx working properly
with the embedded patterns as well as proc.aname/apid which work both ways.
@mstemm mstemm force-pushed the conditional-rules branch from ad482d8 to 3adc1cf Compare May 2, 2018 18:31
@mstemm mstemm merged commit 512a36d into dev May 3, 2018
@mstemm mstemm deleted the conditional-rules branch May 3, 2018 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support conditional rule loading based on sysdig capabilities
1 participant