github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-21 07:43:27 +00:00
Code Issues Projects Releases Wiki Activity

fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager.

Browse Source 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
This commit is contained in:
Federico Di Pierro 2024-02-08 14:34:19 +01:00 committed by poiana
parent c54523720b
commit 7e7c3941d9
1 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
userspace/engine/falco_engine.cpp
View File

@ -174,6 +174,7 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
// clear the rules known by the engine and each ruleset // clear the rules known by the engine and each ruleset
m_rules.clear(); m_rules.clear();
for (auto &src : m_sources) for (auto &src : m_sources)
// add rules to each ruleset
{ {
src.ruleset = src.ruleset_factory->new_ruleset(); src.ruleset = src.ruleset_factory->new_ruleset();
} }
@ -181,12 +182,6 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
// add rules to the engine and the rulesets // add rules to the engine and the rulesets
for (const auto& rule : m_last_compile_output->rules) for (const auto& rule : m_last_compile_output->rules)
{ {
// skip the rule if below the minimum priority
if (rule.priority > m_min_priority)
{
continue;
}
auto info = m_rule_collector.rules().at(rule.name); auto info = m_rule_collector.rules().at(rule.name);
if (!info) if (!info)
{ {
@ -200,11 +195,15 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
auto source = find_source(rule.source); auto source = find_source(rule.source);
std::shared_ptr<gen_event_filter> filter( std::shared_ptr<gen_event_filter> filter(
sinsp_filter_compiler(source->filter_factory, rule.condition.get()).compile()); sinsp_filter_compiler(source->filter_factory, rule.condition.get()).compile());
auto rule_id = m_rules.insert(rule, rule.name); m_rules.insert(rule, rule.name);
m_rules.at(rule_id)->id = rule_id;
source->ruleset->add(rule, filter, rule.condition); source->ruleset->add(rule, filter, rule.condition);
// By default rules are enabled/disabled for the default ruleset // By default rules are enabled/disabled for the default ruleset
// skip the rule if below the minimum priority
if (rule.priority > m_min_priority)
{
continue;
}
if(info->enabled) if(info->enabled)
{ {
source->ruleset->enable(rule.name, true, m_default_ruleset_id); source->ruleset->enable(rule.name, true, m_default_ruleset_id);