github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-05 16:50:34 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/engine): support searching ppm_sc events in rulesets

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
2023-02-24 14:43:43 +00:00
committed by poiana
parent 07980b7822
commit 19ffadc763
5 changed files with 106 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
userspace/engine/falco_engine.h
View File

@@ -222,11 +222,30 @@ public:
//
// Given an event source and ruleset, fill in a bitset
// containing the event types for which this ruleset can run.
// note(jasondellaluce): this is deprecated, must use the new
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
// todo(jasondellaluce): remove this in future code refactors
//
void evttypes_for_ruleset(std::string &source,
std::set<uint16_t> &evttypes,
const std::string &ruleset = s_default_ruleset);
//
// Given an event source and ruleset, return the set of ppm_sc_codes
// for which this ruleset can run and match events.
//
libsinsp::events::set<ppm_sc_code> sc_codes_for_ruleset(
const std::string &source,
const std::string &ruleset = s_default_ruleset);
//
// Given an event source and ruleset, return the set of ppm_event_codes
// for which this ruleset can run and match events.
//
libsinsp::events::set<ppm_event_code> event_codes_for_ruleset(
const std::string &source,
const std::string &ruleset = s_default_ruleset);
//
// Given a source and output string, return an
// gen_event_formatter that can format output strings for an