Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better list substitution #258

Merged
merged 2 commits into from
Jun 30, 2017
Merged

Better list substitution #258

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1b44da
Perform list substitution only on word boundaries
mstemm Jun 30, 2017
eecc927
Add unit tests for list substitution/order
mstemm Jun 30, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions test/falco_tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,68 @@ trace_files: !mux
- rules/override_nested_list.yaml
trace_file: trace_files/cat_write.scap

list_substring:
detect: False
rules_file:
- rules/list_substring.yaml
trace_file: trace_files/cat_write.scap

list_sub_front:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_front.yaml
trace_file: trace_files/cat_write.scap

list_sub_mid:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_mid.yaml
trace_file: trace_files/cat_write.scap

list_sub_end:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_end.yaml
trace_file: trace_files/cat_write.scap

list_sub_bare:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_bare.yaml
trace_file: trace_files/cat_write.scap

list_sub_whitespace:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_whitespace.yaml
trace_file: trace_files/cat_write.scap

list_order:
detect: True
detect_level: WARNING
rules_file:
- rules/list_order.yaml
trace_file: trace_files/cat_write.scap

macro_order:
detect: True
detect_level: WARNING
rules_file:
- rules/macro_order.yaml
trace_file: trace_files/cat_write.scap

rule_order:
detect: True
detect_level: WARNING
rules_file:
- rules/rule_order.yaml
trace_file: trace_files/cat_write.scap

invalid_rule_output:
exit_status: 1
stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."
Expand Down
14 changes: 14 additions & 0 deletions test/rules/list_order.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
- list: cat_binaries
items: [not_cat]

- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name in (cat_binaries)

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
11 changes: 11 additions & 0 deletions test/rules/list_sub_bare.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name=cat_binaries

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
11 changes: 11 additions & 0 deletions test/rules/list_sub_end.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name in (ls, cat_binaries)

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
11 changes: 11 additions & 0 deletions test/rules/list_sub_front.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name in (cat_binaries, ps)

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
11 changes: 11 additions & 0 deletions test/rules/list_sub_mid.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name in (ls, cat_binaries, ps)

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
11 changes: 11 additions & 0 deletions test/rules/list_sub_whitespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name= cat_binaries or proc.name=nopey

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
8 changes: 8 additions & 0 deletions test/rules/list_substring.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
- list: my_list
items: ['"one string"']

- rule: my_rule
desc: my description
condition: evt.type=open and fd.name in (file_my_list)
output: my output
priority: INFO
14 changes: 14 additions & 0 deletions test/rules/macro_order.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name in (not_cat)

- macro: is_cat
condition: proc.name in (cat_binaries)

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
17 changes: 17 additions & 0 deletions test/rules/rule_order.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
- list: cat_binaries
items: [cat]

- macro: is_cat
condition: proc.name in (cat_binaries)

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=not_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING

- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
7 changes: 6 additions & 1 deletion userspace/engine/lua/compiler.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,12 @@ end
function compiler.compile_filter(name, source, macro_defs, list_defs)

for name, items in pairs(list_defs) do
source = string.gsub(source, name, table.concat(items, ", "))
local begin_name_pat = "^("..name..")([%s(),=])"
local mid_name_pat = "([%s(),=])("..name..")([%s(),=])"
local end_name_pat = "([%s(),=])("..name..")$"
source = string.gsub(source, begin_name_pat, table.concat(items, ", ").."%2")
source = string.gsub(source, mid_name_pat, "%1"..table.concat(items, ", ").."%3")
source = string.gsub(source, end_name_pat, "%1"..table.concat(items, ", "))
end

local ast, error_msg = parser.parse_filter(source)
Expand Down