github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 15:51:55 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/engine): find evt names in filter resolver

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-08-31 13:58:31 +00:00 committed by poiana
parent ab77a5d687
commit dce5cac820
2 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
userspace/engine/filter_details_resolver.cpp
View File

@ -25,6 +25,7 @@ void filter_details::reset()
macros.clear(); macros.clear();
operators.clear(); operators.clear();
lists.clear(); lists.clear();
evtnames.clear();
} }
void filter_details_resolver::run(ast::expr* filter, filter_details& details) void filter_details_resolver::run(ast::expr* filter, filter_details& details)
@ -70,6 +71,16 @@ void filter_details_resolver::visitor::visit(ast::list_expr* e)
} }
} }
} }
if (m_expect_evtname)
{
for(const auto& item : e->values)
{
if(m_details.known_lists.find(item) == m_details.known_lists.end())
{
m_details.evtnames.insert(item);
}
}
}
} }
void filter_details_resolver::visitor::visit(ast::binary_check_expr* e) void filter_details_resolver::visitor::visit(ast::binary_check_expr* e)
@ -77,9 +88,18 @@ void filter_details_resolver::visitor::visit(ast::binary_check_expr* e)
m_expect_macro = false; m_expect_macro = false;
m_details.fields.insert(e->field); m_details.fields.insert(e->field);
m_details.operators.insert(e->op); m_details.operators.insert(e->op);
m_expect_list = true; if (e->field == "evt.type" || e->field == "evt.asynctype")
e->value->accept(this); {
m_expect_list = false; m_expect_evtname = true;
e->value->accept(this);
m_expect_evtname = false;
}
else
{
m_expect_list = true;
e->value->accept(this);
m_expect_list = false;
}
} }
void filter_details_resolver::visitor::visit(ast::unary_check_expr* e) void filter_details_resolver::visitor::visit(ast::unary_check_expr* e)
@ -101,4 +121,8 @@ void filter_details_resolver::visitor::visit(ast::value_expr* e)
m_details.macros.insert(e->value); m_details.macros.insert(e->value);
} }
if(m_expect_evtname)
{
m_details.evtnames.insert(e->value);
}
} }

2
userspace/engine/filter_details_resolver.h
View File

@ -33,6 +33,7 @@ struct filter_details
std::unordered_set<std::string> macros; std::unordered_set<std::string> macros;
std::unordered_set<std::string> operators; std::unordered_set<std::string> operators;
std::unordered_set<std::string> lists; std::unordered_set<std::string> lists;
std::unordered_set<std::string> evtnames;
void reset(); void reset();
}; };
@ -76,5 +77,6 @@ private:
filter_details& m_details; filter_details& m_details;
bool m_expect_list; bool m_expect_list;
bool m_expect_macro; bool m_expect_macro;
bool m_expect_evtname;
}; };
}; };