mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-07 17:24:05 +00:00
100 lines
2.8 KiB
C++
100 lines
2.8 KiB
C++
#include "test_falco_engine.h"
|
|
|
|
test_falco_engine::test_falco_engine()
|
|
{
|
|
// create a falco engine ready to load the ruleset
|
|
m_filter_factory = std::make_shared<sinsp_filter_factory>(&m_inspector, m_filterlist);
|
|
m_formatter_factory = std::make_shared<sinsp_evt_formatter_factory>(&m_inspector, m_filterlist);
|
|
m_engine = std::make_shared<falco_engine>();
|
|
m_engine->add_source(m_sample_source, m_filter_factory, m_formatter_factory);
|
|
}
|
|
|
|
bool test_falco_engine::load_rules(const std::string& rules_content, const std::string& rules_filename)
|
|
{
|
|
bool ret = false;
|
|
falco::load_result::rules_contents_t rc = {{rules_filename, rules_content}};
|
|
m_load_result = m_engine->load_rules(rules_content, rules_filename);
|
|
m_load_result_string = m_load_result->as_string(true, rc);
|
|
m_load_result_json = m_load_result->as_json(rc);
|
|
ret = m_load_result->successful();
|
|
|
|
if (ret)
|
|
{
|
|
m_engine->enable_rule("", true, m_sample_ruleset);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
// This must be kept in line with the (private) falco_engine::s_default_ruleset
|
|
uint64_t test_falco_engine::num_rules_for_ruleset(const std::string& ruleset)
|
|
{
|
|
return m_engine->num_rules_for_ruleset(ruleset);
|
|
}
|
|
|
|
bool test_falco_engine::has_warnings() const
|
|
{
|
|
return m_load_result->has_warnings();
|
|
}
|
|
|
|
bool test_falco_engine::check_warning_message(const std::string& warning_msg) const
|
|
{
|
|
if(!m_load_result->has_warnings())
|
|
{
|
|
return false;
|
|
}
|
|
|
|
for(const auto &warn : m_load_result_json["warnings"])
|
|
{
|
|
std::string msg = warn["message"];
|
|
// Debug:
|
|
// printf("msg: %s\n", msg.c_str());
|
|
if(msg.find(warning_msg) != std::string::npos)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
bool test_falco_engine::check_error_message(const std::string& error_msg) const
|
|
{
|
|
// if the loading is successful there are no errors
|
|
if(m_load_result->successful())
|
|
{
|
|
return false;
|
|
}
|
|
|
|
for(const auto &err : m_load_result_json["errors"])
|
|
{
|
|
std::string msg = err["message"];
|
|
// Debug:
|
|
// printf("msg: %s\n", msg.c_str());
|
|
if(msg.find(error_msg) != std::string::npos)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
std::string test_falco_engine::get_compiled_rule_condition(std::string rule_name) const
|
|
{
|
|
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
|
return rule_description["rules"][0]["details"]["condition_compiled"].template get<std::string>();
|
|
}
|
|
|
|
std::string test_falco_engine::get_compiled_rule_output(std::string rule_name) const
|
|
{
|
|
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
|
return rule_description["rules"][0]["details"]["output_compiled"].template get<std::string>();
|
|
}
|
|
|
|
std::unordered_map<std::string, std::string> test_falco_engine::get_compiled_rule_formatted_fields(std::string rule_name) const
|
|
{
|
|
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
|
return rule_description["rules"][0]["details"]["extra_output_formatted_fields"].template get<std::unordered_map<std::string, std::string>>();
|
|
}
|