github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 03:49:36 +00:00
Code Issues Projects Releases Wiki Activity
126 Commits 123 Branches 176 Tags
8ae908fe85ef0defa2ac4893fd255e8b4e61cd84
Commit Graph

65 Commits

Author SHA1 Message Date
Henri DF
8ae908fe85 Rework cmake files 
Rather than do include_directory() on the whole sysdig repo, just do it
for driver, libscap, and libsinp.

This is a step on the way to building a digwatch package.
 2016-03-31 18:39:49 -07:00
Henri DF
c9806407e8 Priority level internal handling 
Handle internally as ints, then translate as appropriate in outputs
 2016-03-30 14:38:18 -07:00
Henri DF
d6dee28bbe Output simplification 
The Output is now chosen globally (for all rules), on the command line.
 2016-03-30 14:27:19 -07:00
Henri DF
f44bd06f1d Remove unused/unimplemented options 2016-03-30 13:20:31 -07:00
Henri DF
5f0123317a Remove function outputs from grammar 2016-03-30 13:00:51 -07:00
Henri DF
6158168a97 Grammar support for priorities 2016-03-29 21:35:07 -07:00
Henri DF
38957d3b14 Add timestamp in function outputs 2016-03-29 19:54:15 -07:00
Henri DF
97d7b125ba Implicit time in output formats 
As pointed out by Loris, timestamping output messages should be a
responsibility of the output/collection system.

So as a first step towards this, add timestamps automatically for output
formats, and remove them from rules.
 2016-03-29 19:47:57 -07:00
Henri DF
aea9b0054b Minor error handling improvements 2016-03-29 19:31:34 -07:00
Henri DF
faf36cd8d7 Use new sysdig support for fast processing of in-exprs 2016-03-24 14:25:48 -07:00
Henri DF
aa31d0a0fb Optimization: don't nest at every boolean op 2016-03-18 13:10:07 -07:00
Henri DF
9043c89a9b Nice formatting when printing ASTs 2016-03-16 13:00:03 -07:00
Henri DF
7104d52466 minor cmakefile cleanup 2016-03-07 17:27:20 -08:00
Henri DF
8c6bb8a236 Set Lua cpath along with path 2016-03-04 17:54:18 -08:00
Henri DF
331042858f Initial version of outputs.lua 2016-03-03 16:13:08 -08:00
Henri DF
5f681b1bd8 Signal handlers and clean(er) exit 2016-03-04 00:11:09 +00:00
Henri DF
ea158baa8d Fix error string 2016-03-02 22:24:12 +00:00
Henri DF
33ad92e98b Fix typo-bug in lua code 2016-03-01 22:01:45 -08:00
Henri DF
f0da1c724b formats.cpp: print lua error string (like elsewherE) 2016-03-01 22:01:14 -08:00
Henri DF
8343d23c3f remove debugging print from rules_loader.lua 2016-03-01 20:10:34 -08:00
Henri DF
26fcf3415d Add digwatch.fields() to Lua API 2016-03-01 21:54:20 +00:00
Henri DF
3195c8abea formats.{cpp,h}: Get rid of global vars 2016-03-01 21:54:18 +00:00
Henri DF
0cdbdf9215 minor include cleanups 2016-03-01 10:49:19 -08:00
Henri DF
6a99c1a978 Basic support for function calls in outputs 2016-02-29 20:15:50 -08:00
Henri DF
1b7a5bd119 compiler: keep source in FunctionCall ASTs 2016-02-29 13:37:16 -08:00
Henri DF
55b2490314 coding convention 2016-02-28 21:14:46 -08:00
Henri DF
1c04ed7874 rework digwatch event output handling 
the high-level change is that events matching a rule are now send into a
lua "on_event" function for handling, rather than doing the handling
down in c++.

more specifics:

before, the lua "load_rule" function registered formatters with
associated IDs with the c++ side, which later used this state to
reconcile events with formats and print output accordingly.

now, no such state is kept on the c++ side. the lua "load_rule" function
maintains the id->formatters map, and uses it to print outputs when it
receives events.

this change simplifies the existing flow and will also make the forthcoming
implementation of function outputs far simpler than it would have been
in the current setup.
 2016-02-28 21:06:29 -08:00
Henri DF
f71de57a90 fix unused vars warning in digwatch.cpp 2016-02-28 20:28:47 -08:00
Henri DF
c695051990 rule_loader.lua: comments cleanups 2016-02-28 23:50:10 +00:00
Henri DF
6569f0372d Grammar: support function-call syntax in outputs 
This change adds syntax support for function call outputs. For example:

... | syslog(evt, WARN)

Regular outputs are still allowed and parsed in the same way.
 2016-02-28 14:28:00 -08:00
Henri DF
733548b80b Grammar: fix commas in lists 
commas were (unintentionally) optional in lists. so a list like (a b c)
was a valid three-element list.
 2016-02-28 14:24:54 -08:00
Henri DF
96942f8034 Grammar: parse array lookup in fields 2016-02-28 13:20:35 -08:00
Henri DF
4053b7241e Fix 'in' clause expansion 2016-02-25 10:54:42 -08:00
Henri DF
eaeb360b31 Fix macro expansion 2016-02-25 10:54:28 -08:00
Henri DF
d62ea1df24 Support for comments in rules files 2016-02-24 15:47:19 -08:00
Henri DF
2428231c7a Remove unneeded code from digwatch main 2016-02-24 10:32:14 -08:00
Henri DF
1a70d12525 whitespace 2016-02-24 09:17:26 -08:00
Henri DF
5f43446bfa compiler.lua: Move macro checking into own file 2016-02-24 09:03:55 -08:00
Henri DF
a2ec9870de compiler.lua: consistently use 'ast' instead of 'node' 2016-02-24 08:46:33 -08:00
Henri DF
e725be968e rule_loader.lua: add/improve comments 2016-02-24 08:46:12 -08:00
Henri DF
a9d0268390 Move format handling into own class 2016-02-23 18:55:20 -08:00
Henri DF
636429c674 Move lua_State creation to digwatch main 2016-02-23 18:43:41 -08:00
Henri DF
3e73f01472 Always print events 
Before this change, events were only printed if they had all the
fields (same behavior as with sysdig when the output format doesn't have
a leading "*"). With this change, all events are printed; those that
don't have all fields are prefixed with a notification.
 2016-02-23 18:15:43 -08:00
Henri DF
2f105932fa parser-smoke.sh: add a test 2016-02-23 11:35:11 -08:00
Henri DF
87186df85a digwatch: use appropriate formatter for each event 2016-02-23 10:21:25 -08:00
Henri DF
a3976281a8 Pass rule indices down into filters 
This allows to match events back up with the display output they are
associated with.
 2016-02-23 18:09:52 +00:00
Henri DF
406f079621 Deep copy macro ASTs when expanding 
So that we can individually tag expressions that originate from the same macro (see next commit).
 2016-02-23 18:09:52 +00:00
Henri DF
3a56c1a0e4 AST: Rule node always has an Output child node 2016-02-23 18:09:52 +00:00
Henri DF
a7d0132154 Add 'sysdig.set_formatter' and use it in compiler 
This allows the compiler to define per-rule formats. They are currently
instantiated and stored on the c++ side, but not being made use of yet.
 2016-02-23 18:09:51 +00:00
Henri DF
426097241d Move compiler state and AST grafting to rule_loader.lua 
This is needed so that rule_loader (which should be renamed in a later pass..) can tag
filters with their index.
 2016-02-22 18:07:54 -08:00