diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index efd87696..241be62f 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -264,6 +264,13 @@ trace_files: !mux - rules/rule_order.yaml trace_file: trace_files/cat_write.scap + endswith: + detect: True + detect_level: WARNING + rules_file: + - rules/endswith.yaml + trace_file: trace_files/cat_write.scap + invalid_rule_output: exit_status: 1 stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting." diff --git a/test/rules/endswith.yaml b/test/rules/endswith.yaml new file mode 100644 index 00000000..d5fc5999 --- /dev/null +++ b/test/rules/endswith.yaml @@ -0,0 +1,22 @@ +# +# Copyright (C) 2016-2018 Draios Inc dba Sysdig. +# +# This file is part of falco. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +- rule: open_ending with null + desc: A file ending with null is opened + condition: evt.type=open and fd.name endswith null + output: "An open was seen (command=%proc.cmdline)" + priority: WARNING \ No newline at end of file diff --git a/userspace/engine/lua/parser.lua b/userspace/engine/lua/parser.lua index 3e736299..26c1b785 100644 --- a/userspace/engine/lua/parser.lua +++ b/userspace/engine/lua/parser.lua @@ -265,7 +265,8 @@ local G = { symb("contains") / "contains" + symb("icontains") / "icontains" + symb("glob") / "glob" + - symb("startswith") / "startswith"; + symb("startswith") / "startswith" + + symb("endswith") / "endswith"; InOp = kw("in") / "in"; PmatchOp = kw("pmatch") / "pmatch"; UnaryBoolOp = kw("not") / "not";