mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-05 16:50:34 +00:00
Add base64 encoding and snap length support (#410)
sysdig-CLA-1.0-signed-off-by: Yue Feng <ztz5651483@gmail.com> falco-CLA-1.0-signed-off-by: Yue Feng <ztz5651483@gmail.com>
This commit is contained in:
ztz
Mark Stemm
@@ -116,7 +116,27 @@ int falco_formats::format_event (lua_State *ls)
|
|||||||
|
|
||||||
if(s_json_output)
|
if(s_json_output)
|
||||||
{
|
{
|
||||||
s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
|
switch(s_inspector->get_buffer_format())
|
||||||
|
{
|
||||||
|
case sinsp_evt::PF_NORMAL:
|
||||||
|
s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
|
||||||
|
break;
|
||||||
|
case sinsp_evt::PF_EOLS:
|
||||||
|
s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
|
||||||
|
break;
|
||||||
|
case sinsp_evt::PF_HEX:
|
||||||
|
s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
|
||||||
|
break;
|
||||||
|
case sinsp_evt::PF_HEXASCII:
|
||||||
|
s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
|
||||||
|
break;
|
||||||
|
case sinsp_evt::PF_BASE64:
|
||||||
|
s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
// do nothing
|
||||||
|
break;
|
||||||
|
}
|
||||||
s_formatters->tostring(evt, sformat, &json_line);
|
s_formatters->tostring(evt, sformat, &json_line);
|
||||||
|
|
||||||
// The formatted string might have a leading newline. If it does, remove it.
|
// The formatted string might have a leading newline. If it does, remove it.
|
||||||
@@ -124,8 +144,6 @@ int falco_formats::format_event (lua_State *ls)
|
|||||||
{
|
{
|
||||||
json_line.erase(0, 1);
|
json_line.erase(0, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
s_inspector->set_buffer_format(sinsp_evt::PF_NORMAL);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (sinsp_exception& e)
|
catch (sinsp_exception& e)
|
||||||
|
|||||||
@@ -70,6 +70,8 @@ static void usage()
|
|||||||
" -h, --help Print this page\n"
|
" -h, --help Print this page\n"
|
||||||
" -c Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
|
" -c Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
|
||||||
" -A Monitor all events, including those with EF_DROP_FALCO flag.\n"
|
" -A Monitor all events, including those with EF_DROP_FALCO flag.\n"
|
||||||
|
" -b, --print-base64 Print data buffers in base64. This is useful for encoding\n"
|
||||||
|
" binary data that needs to be used over media designed to\n"
|
||||||
" -d, --daemon Run as a daemon\n"
|
" -d, --daemon Run as a daemon\n"
|
||||||
" -D <pattern> Disable any rules matching the regex <pattern>. Can be specified multiple times.\n"
|
" -D <pattern> Disable any rules matching the regex <pattern>. Can be specified multiple times.\n"
|
||||||
" Can not be specified with -t.\n"
|
" Can not be specified with -t.\n"
|
||||||
@@ -115,6 +117,10 @@ static void usage()
|
|||||||
" from multiple files/directories.\n"
|
" from multiple files/directories.\n"
|
||||||
" -s <stats_file> If specified, write statistics related to falco's reading/processing of events\n"
|
" -s <stats_file> If specified, write statistics related to falco's reading/processing of events\n"
|
||||||
" to this file. (Only useful in live mode).\n"
|
" to this file. (Only useful in live mode).\n"
|
||||||
|
" -S <len>, --snaplen=<len>\n"
|
||||||
|
" Capture the first <len> bytes of each I/O buffer.\n"
|
||||||
|
" By default, the first 80 bytes are captured. Use this\n"
|
||||||
|
" option with caution, it can generate huge trace files.\n"
|
||||||
" -T <tag> Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
|
" -T <tag> Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
|
||||||
" Can not be specified with -t.\n"
|
" Can not be specified with -t.\n"
|
||||||
" -t <tag> Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
|
" -t <tag> Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
|
||||||
@@ -293,6 +299,7 @@ int falco_init(int argc, char **argv)
|
|||||||
{
|
{
|
||||||
int result = EXIT_SUCCESS;
|
int result = EXIT_SUCCESS;
|
||||||
sinsp* inspector = NULL;
|
sinsp* inspector = NULL;
|
||||||
|
sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
|
||||||
falco_engine *engine = NULL;
|
falco_engine *engine = NULL;
|
||||||
falco_outputs *outputs = NULL;
|
falco_outputs *outputs = NULL;
|
||||||
int op;
|
int op;
|
||||||
@@ -313,6 +320,7 @@ int falco_init(int argc, char **argv)
|
|||||||
string* k8s_api_cert = 0;
|
string* k8s_api_cert = 0;
|
||||||
string* mesos_api = 0;
|
string* mesos_api = 0;
|
||||||
string output_format = "";
|
string output_format = "";
|
||||||
|
uint32_t snaplen = 0;
|
||||||
bool replace_container_info = false;
|
bool replace_container_info = false;
|
||||||
int duration_to_tot = 0;
|
int duration_to_tot = 0;
|
||||||
bool print_ignored_events = false;
|
bool print_ignored_events = false;
|
||||||
@@ -341,6 +349,7 @@ int falco_init(int argc, char **argv)
|
|||||||
{"option", required_argument, 0, 'o'},
|
{"option", required_argument, 0, 'o'},
|
||||||
{"print", required_argument, 0, 'p' },
|
{"print", required_argument, 0, 'p' },
|
||||||
{"pidfile", required_argument, 0, 'P' },
|
{"pidfile", required_argument, 0, 'P' },
|
||||||
|
{"snaplen", required_argument, 0, 'S' },
|
||||||
{"unbuffered", no_argument, 0, 'U' },
|
{"unbuffered", no_argument, 0, 'U' },
|
||||||
{"version", no_argument, 0, 0 },
|
{"version", no_argument, 0, 0 },
|
||||||
{"validate", required_argument, 0, 'V' },
|
{"validate", required_argument, 0, 'V' },
|
||||||
@@ -362,7 +371,7 @@ int falco_init(int argc, char **argv)
|
|||||||
// Parse the args
|
// Parse the args
|
||||||
//
|
//
|
||||||
while((op = getopt_long(argc, argv,
|
while((op = getopt_long(argc, argv,
|
||||||
"hc:AdD:e:ik:K:Ll:m:M:o:P:p:r:s:T:t:UvV:w:",
|
"hc:AbdD:e:ik:K:Ll:m:M:o:P:p:r:S:s:T:t:UvV:w:",
|
||||||
long_options, &long_index)) != -1)
|
long_options, &long_index)) != -1)
|
||||||
{
|
{
|
||||||
switch(op)
|
switch(op)
|
||||||
@@ -376,6 +385,9 @@ int falco_init(int argc, char **argv)
|
|||||||
case 'A':
|
case 'A':
|
||||||
all_events = true;
|
all_events = true;
|
||||||
break;
|
break;
|
||||||
|
case 'b':
|
||||||
|
event_buffer_format = sinsp_evt::PF_BASE64;
|
||||||
|
break;
|
||||||
case 'd':
|
case 'd':
|
||||||
daemon = true;
|
daemon = true;
|
||||||
break;
|
break;
|
||||||
@@ -444,6 +456,9 @@ int falco_init(int argc, char **argv)
|
|||||||
case 'r':
|
case 'r':
|
||||||
falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
|
falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
|
||||||
break;
|
break;
|
||||||
|
case 'S':
|
||||||
|
snaplen = atoi(optarg);
|
||||||
|
break;
|
||||||
case 's':
|
case 's':
|
||||||
stats_filename = optarg;
|
stats_filename = optarg;
|
||||||
break;
|
break;
|
||||||
@@ -482,6 +497,15 @@ int falco_init(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
inspector = new sinsp();
|
inspector = new sinsp();
|
||||||
|
inspector->set_buffer_format(event_buffer_format);
|
||||||
|
|
||||||
|
//
|
||||||
|
// If required, set the snaplen
|
||||||
|
//
|
||||||
|
if(snaplen != 0)
|
||||||
|
{
|
||||||
|
inspector->set_snaplen(snaplen);
|
||||||
|
}
|
||||||
|
|
||||||
if(print_ignored_events)
|
if(print_ignored_events)
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user