github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 22:16:49 +00:00
Code Issues Projects Releases Wiki Activity

Expose evttypes for ruleset

Browse Source 
Add the ability to return the specific event types that are relevant for
a given ruleset. Allows pre-filtering based on ruleset outside the
engine.
This commit is contained in:
Mark Stemm 2017-10-14 01:06:06 +00:00 committed by Mark Stemm
parent e5bd58ab91
commit eeae04ac67
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
userspace/engine/falco_engine.cpp
View File

@ -154,6 +154,13 @@ uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
return it->second;
}
void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset)
{
uint16_t ruleset_id = find_ruleset_id(ruleset);
return m_evttype_filter->evttypes_for_ruleset(evttypes, ruleset_id);
}
unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev, uint16_t ruleset_id)
{
if(should_drop_evt())

6
userspace/engine/falco_engine.h
View File

@ -85,6 +85,12 @@ public:
//
uint16_t find_ruleset_id(const std::string &ruleset);
//
// Given a ruleset, fill in a bitset containing the event
// types for which this ruleset can run.
//
void evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset);
//
// Given an event, check it against the set of rules in the
// engine and if a matching rule is found, return details on