-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trace only relevant events for loaded signatures #935
Comments
I think that in the current design (2 processes) we need to add add a pre-step tot the entrypoint like |
I believe so. Correct me if I'm wrong @itaysk |
I don't think so since signatures can be loaded/unloaded which is currently unhandled |
@NDStrahilevitz this is one issue you should keep track of (for the major 'filtering improvement' effort you're handling). |
Using the new experience, rule events select their dependencies automatically. |
@yanivagman AFAIR tracee-rules today already has the capability to load/unload rules |
It does. But to work it requires the event dependencies to be chosen at Tracee init time, or otherwise it won't work. This will be fixed as part of #636 |
based on the loaded signatures, get the relevant set of "event selectors" and use that to configure tracee-ebpf to trace just the relevant events for the loaded signatures
related: #936 #636
The text was updated successfully, but these errors were encountered: