Add tests catchall order (#355)

* Only check whole rule names when matching counts Tweak the regex so a rule my_great_rule doesn't pick up event counts for a rule "great_rule: nnn". * Add ability to skip evttype warnings for rules A new attribute warn_evttypes, if present, suppresses printing warnings related to a rule not matching any event type. Useful if you have a rule where not including an event type is intentional. * Add test for preserving rule order Test the fix for https://github.com/draios/falco/issues/354. A rules file has a event-specific rule first and a catchall rule second. Without the changes in https://github.com/draios/sysdig/pull/1103, the first rule does not match the event.
2025-10-21 11:29:26 +00:00 · 2018-04-19 09:31:20 -07:00
parent b6b490e26e
commit e922a849a9
5 changed files with 48 additions and 16 deletions
--- a/test/rules/catchall_order.yaml
+++ b/test/rules/catchall_order.yaml
@@ -0,0 +1,12 @@
+- rule: open_dev_null
+  desc: Any open of the file /dev/null
+  condition: evt.type=open and fd.name=/dev/null
+  output: An open of /dev/null was seen (command=%proc.cmdline evt=%evt.type %evt.args)
+  priority: INFO
+
+- rule: dev_null
+  desc: Anything related to /dev/null
+  condition: fd.name=/dev/null
+  output: Something related to /dev/null was seen (command=%proc.cmdline evt=%evt.type %evt.args)
+  priority: INFO
+  warn_evttypes: false