mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-04 19:15:26 +00:00
Change enable_rule() to use substr match vs regex
Change falco_engine::enable_rule to use substring matches instead of regex pattern matches. Only substrings were actually used in practice outside of tests and regex matches weren't even working, due to regex_match() not working properly with the default compiler we use. This is noted on the c++11 compatibility notes for gcc 4.8.2: https://gcc.gnu.org/onlinedocs/gcc-4.8.2/libstdc++/manual/manual/status.html#status.iso.2011.
This commit is contained in:
Mark Stemm
@@ -206,17 +206,17 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
|
||||
load_rules(rules_content, verbose, all_events, required_engine_version);
|
||||
}
|
||||
|
||||
void falco_engine::enable_rule(const string &pattern, bool enabled, const string &ruleset)
|
||||
void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
|
||||
{
|
||||
uint16_t ruleset_id = find_ruleset_id(ruleset);
|
||||
|
||||
m_sinsp_rules->enable(pattern, enabled, ruleset_id);
|
||||
m_k8s_audit_rules->enable(pattern, enabled, ruleset_id);
|
||||
m_sinsp_rules->enable(substring, enabled, ruleset_id);
|
||||
m_k8s_audit_rules->enable(substring, enabled, ruleset_id);
|
||||
}
|
||||
|
||||
void falco_engine::enable_rule(const string &pattern, bool enabled)
|
||||
void falco_engine::enable_rule(const string &substring, bool enabled)
|
||||
{
|
||||
enable_rule(pattern, enabled, m_default_ruleset);
|
||||
enable_rule(substring, enabled, m_default_ruleset);
|
||||
}
|
||||
|
||||
void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
|
||||
|
||||
@@ -76,16 +76,16 @@ public:
|
||||
void load_rules(const std::string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version);
|
||||
|
||||
//
|
||||
// Enable/Disable any rules matching the provided pattern
|
||||
// (regex). When provided, enable/disable these rules in the
|
||||
// Enable/Disable any rules matching the provided substring.
|
||||
// When provided, enable/disable these rules in the
|
||||
// context of the provided ruleset. The ruleset (id) can later
|
||||
// be passed as an argument to process_event(). This allows
|
||||
// for different sets of rules being active at once.
|
||||
//
|
||||
void enable_rule(const std::string &pattern, bool enabled, const std::string &ruleset);
|
||||
void enable_rule(const std::string &substring, bool enabled, const std::string &ruleset);
|
||||
|
||||
// Wrapper that assumes the default ruleset
|
||||
void enable_rule(const std::string &pattern, bool enabled);
|
||||
void enable_rule(const std::string &substring, bool enabled);
|
||||
|
||||
//
|
||||
// Enable/Disable any rules with any of the provided tags (set, exact matches only)
|
||||
|
||||
@@ -196,20 +196,7 @@ int falco_rules::enable_rule(lua_State *ls)
|
||||
std::string rule = rulec;
|
||||
bool enabled = (lua_tonumber(ls, -1) ? true : false);
|
||||
|
||||
// Escape any regex special characters in the rule name
|
||||
std::string sanitized = rule;
|
||||
|
||||
std::string escape_chars = R"($\.*+?()[]{}|^)";
|
||||
|
||||
size_t pos = sanitized.find_first_of(escape_chars);
|
||||
|
||||
while (pos != std::string::npos)
|
||||
{
|
||||
sanitized.insert(pos, "\\");
|
||||
pos = sanitized.find_first_of(escape_chars, pos+2);
|
||||
}
|
||||
|
||||
rules->enable_rule(sanitized, enabled);
|
||||
rules->enable_rule(rule, enabled);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -202,19 +202,8 @@ void falco_ruleset::add(string &name,
|
||||
}
|
||||
}
|
||||
|
||||
void falco_ruleset::enable(const string &pattern, bool enabled, uint16_t ruleset)
|
||||
void falco_ruleset::enable(const string &substring, bool enabled, uint16_t ruleset)
|
||||
{
|
||||
regex re;
|
||||
bool match_using_regex = true;
|
||||
|
||||
try {
|
||||
re.assign(pattern);
|
||||
}
|
||||
catch (std::regex_error e)
|
||||
{
|
||||
match_using_regex = false;
|
||||
}
|
||||
|
||||
while (m_rulesets.size() < (size_t) ruleset + 1)
|
||||
{
|
||||
m_rulesets.push_back(new ruleset_filters());
|
||||
@@ -223,14 +212,9 @@ void falco_ruleset::enable(const string &pattern, bool enabled, uint16_t ruleset
|
||||
for(const auto &val : m_filters)
|
||||
{
|
||||
bool matches;
|
||||
if(match_using_regex)
|
||||
{
|
||||
matches = regex_match(val.first, re);
|
||||
}
|
||||
else
|
||||
{
|
||||
matches = (val.first.find(pattern) != string::npos);
|
||||
}
|
||||
|
||||
matches = (val.first.find(substring) != string::npos);
|
||||
|
||||
if (matches)
|
||||
{
|
||||
if(enabled)
|
||||
|
||||
@@ -24,7 +24,6 @@ limitations under the License.
|
||||
#include <vector>
|
||||
#include <list>
|
||||
#include <map>
|
||||
#include <regex>
|
||||
|
||||
#include "sinsp.h"
|
||||
#include "filter.h"
|
||||
@@ -48,9 +47,9 @@ public:
|
||||
// specifying unnecessarily large rulesets will result in
|
||||
// unnecessarily large vectors.
|
||||
|
||||
// Find those rules matching the provided pattern and set
|
||||
// Find those rules matching the provided substring and set
|
||||
// their enabled status to enabled.
|
||||
void enable(const std::string &pattern, bool enabled, uint16_t ruleset = 0);
|
||||
void enable(const std::string &substring, bool enabled, uint16_t ruleset = 0);
|
||||
|
||||
// Find those rules that have a tag in the set of tags and set
|
||||
// their enabled status to enabled. Note that the enabled
|
||||
|
||||
Reference in New Issue
Block a user