mirror of
				https://github.com/falcosecurity/falco.git
				synced 2025-10-22 20:29:39 +00:00 
			
		
		
		
	spelling: multitrailing
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
This commit is contained in:
		| @@ -44,8 +44,8 @@ trace_files: !mux | |||||||
|       - not_equals_after_evttype: [execve] |       - not_equals_after_evttype: [execve] | ||||||
|       - not_after_evttype: [execve] |       - not_after_evttype: [execve] | ||||||
|       - leading_trailing_evttypes: [execve,open] |       - leading_trailing_evttypes: [execve,open] | ||||||
|       - leading_multtrailing_evttypes: [connect,execve,open] |       - leading_multitrailing_evttypes: [connect,execve,open] | ||||||
|       - leading_multtrailing_evttypes_using_in: [connect,execve,open] |       - leading_multitrailing_evttypes_using_in: [connect,execve,open] | ||||||
|       - not_equals_at_end: [all] |       - not_equals_at_end: [all] | ||||||
|       - not_at_end: [all] |       - not_at_end: [all] | ||||||
|       - not_before_trailing_evttype: [all] |       - not_before_trailing_evttype: [all] | ||||||
|   | |||||||
| @@ -56,13 +56,13 @@ | |||||||
|   output: "None" |   output: "None" | ||||||
|   priority: WARNING |   priority: WARNING | ||||||
|  |  | ||||||
| - rule: leading_multtrailing_evttypes | - rule: leading_multitrailing_evttypes | ||||||
|   desc: one evttype at beginning, multiple at end |   desc: one evttype at beginning, multiple at end | ||||||
|   condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type=connect |   condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type=connect | ||||||
|   output: "None" |   output: "None" | ||||||
|   priority: WARNING |   priority: WARNING | ||||||
|  |  | ||||||
| - rule: leading_multtrailing_evttypes_using_in | - rule: leading_multitrailing_evttypes_using_in | ||||||
|   desc: one evttype at beginning, multiple at end, using in |   desc: one evttype at beginning, multiple at end, using in | ||||||
|   condition: evt.type=execve and proc.name=foo or evt.type in (open, connect) |   condition: evt.type=execve and proc.name=foo or evt.type in (open, connect) | ||||||
|   output: "None" |   output: "None" | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user