github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-25 22:28:26 +00:00
Code Issues Projects Releases Wiki Activity

Add support for parsing "intersects" operator

Browse Source 
Related to the changes in https://github.com/draios/sysdig/pull/1501,
add support for an "intersects" operator that verifies if any of the
values in the rhs of an expression are found in the set of extracted
values.

For example:

  (a,b,c) in (a,b) is false, but (a,b,c) intersects (a,b) is true.

The code that implements CO_INTERSECTS is in a different commit.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2019-09-09 15:51:14 -07:00
committed by Leo Di Donato
parent 6019320f9d
commit b6fec781b7
3 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
userspace/engine/lua/sinsp_rule_utils.lua
View File

@@ -36,7 +36,9 @@ function sinsp_rule_utils.check_for_ignored_syscalls_events(ast, filter_type, so
(node.left.value == "evt.type" or
node.left.value == "syscall.type") then
if node.operator == "in" or node.operator == "pmatch" then
if (node.operator == "in" or
node.operator == "intersects" or
node.operator == "pmatch") then
for i, v in ipairs(node.right.elements) do
if v.type == "BareString" then
if node.left.value == "evt.type" then
@@ -94,7 +96,9 @@ function sinsp_rule_utils.get_evttypes_syscalls(name, ast, source, warn_evttypes
if found_not then
found_event_after_not = true
end
if node.operator == "in" or node.operator == "pmatch" then
if (node.operator == "in" or
node.operator == "intersects" or
node.operator == "pmatch") then
for i, v in ipairs(node.right.elements) do
if v.type == "BareString" then