github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 19:44:57 +00:00
Code Issues Projects Releases Wiki Activity
Files
6ee0b353ac43c78d97a6b3858f82e6432d4ddefd
falco/test/falco_tests.yaml
Mark Stemm 10d47cb1f5 Update automated tests to reflect evttypes behavior 
With the changes in https://github.com/falcosecurity/libs/pull/74,
there isn't any need to warn about the order of operators and the
evt.type field--the set of event types for a filter should be exact
now regardless of the order of operators.

So update tests that were logging those warnings to note that the
warnings won't occur any more.

Also, some tests more accurately *do* note that they have an overly
permissive evttype (e.g. ones related to syscalls, which are uncommon
and are evaluated for all event types) to reflect the new behavior.

Finally, in unit tests create an actual sinsp filter instead of a
gen_event_filter, which is the base class and shouldn't be created
directly.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2021-10-12 17:59:38 +02:00

1329 lines
34 KiB
YAML
Raw Blame History

#
# Copyright (C) 2020 The Falco Authors.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
trace_files: !mux
builtin_rules_no_warnings:
detect: False
trace_file: trace_files/empty.scap
rules_warning: False
test_warnings:
detect: False
trace_file: trace_files/empty.scap
rules_file: rules/falco_rules_warnings.yaml
rules_warning:
- no_evttype
- evttype_not_equals
- leading_not
- not_equals_at_end
- not_at_end
- not_equals_and_not
- leading_in_not_equals_at_evttype
- not_with_evttypes
- not_with_evttypes_addl
rules_events:
- no_warnings: [execve]
- no_evttype: [all]
- evttype_not_equals: [all]
- leading_not: [all]
- not_equals_after_evttype: [execve]
- not_after_evttype: [execve]
- leading_trailing_evttypes: [execve,open]
- leading_multtrailing_evttypes: [connect,execve,open]
- leading_multtrailing_evttypes_using_in: [connect,execve,open]
- not_equals_at_end: [all]
- not_at_end: [all]
- not_before_trailing_evttype: [all]
- not_equals_before_trailing_evttype: [all]
- not_equals_and_not: [all]
- not_equals_before_in: [all]
- not_before_in: [all]
- not_in_before_in: [all]
- evttype_in: [execve,open]
- evttype_in_plus_trailing: [connect,execve,open]
- leading_in_not_equals_before_evttype: [all]
- leading_in_not_equals_at_evttype: [all]
- not_with_evttypes: [all]
- not_with_evttypes_addl: [all]
- not_equals_before_evttype: [all]
- not_equals_before_in_evttype: [all]
- not_before_evttype: [all]
- not_before_evttype_using_in: [all]
- repeated_evttypes: [open]
- repeated_evttypes_with_in: [open]
- repeated_evttypes_with_separate_in: [open]
- repeated_evttypes_with_mix: [open]
rule_names_with_spaces:
detect: True
detect_level: WARNING
rules_file:
- rules/rule_names_with_spaces.yaml
trace_file: trace_files/cat_write.scap
rule_names_with_regex_chars:
detect: True
detect_level: WARNING
rules_file:
- rules/rule_names_with_regex_chars.yaml
detect_counts:
- 'Open From Cat ($\.*+?()[]{}|^)': 8
trace_file: trace_files/cat_write.scap
multiple_rules_first_empty:
detect: True
detect_level: WARNING
rules_file:
- rules/empty_rules.yaml
- rules/single_rule.yaml
trace_file: trace_files/cat_write.scap
multiple_rules_last_empty:
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule.yaml
- rules/empty_rules.yaml
trace_file: trace_files/cat_write.scap
multiple_rules:
detect: True
detect_level:
- WARNING
- INFO
- ERROR
rules_file:
- rules/single_rule.yaml
- rules/double_rule.yaml
trace_file: trace_files/cat_write.scap
all_events: True
multiple_docs:
detect: True
detect_level:
- WARNING
- INFO
- ERROR
rules_file:
- rules/single_rule.yaml
- rules/double_rule.yaml
trace_file: trace_files/cat_write.scap
all_events: True
rules_directory:
detect: True
detect_level:
- WARNING
- INFO
- ERROR
rules_file:
- rules/rules_dir
trace_file: trace_files/cat_write.scap
all_events: True
multiple_rules_suppress_info:
detect: True
detect_level:
- WARNING
- ERROR
priority: WARNING
detect_counts:
- open_from_cat: 8
- exec_from_cat: 1
- access_from_cat: 0
rules_file:
- rules/single_rule.yaml
- rules/double_rule.yaml
trace_file: trace_files/cat_write.scap
all_events: True
multiple_rules_overriding:
detect: False
rules_file:
- rules/single_rule.yaml
- rules/override_rule.yaml
trace_file: trace_files/cat_write.scap
macro_overriding:
detect: False
rules_file:
- rules/single_rule.yaml
- rules/override_macro.yaml
trace_file: trace_files/cat_write.scap
list_overriding:
detect: False
rules_file:
- rules/single_rule.yaml
- rules/override_list.yaml
trace_file: trace_files/cat_write.scap
nested_list_overriding:
detect: False
rules_file:
- rules/single_rule.yaml
- rules/override_nested_list.yaml
trace_file: trace_files/cat_write.scap
list_substring:
detect: False
rules_file:
- rules/list_substring.yaml
trace_file: trace_files/cat_write.scap
list_sub_front:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_front.yaml
trace_file: trace_files/cat_write.scap
list_sub_mid:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_mid.yaml
trace_file: trace_files/cat_write.scap
list_sub_end:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_end.yaml
trace_file: trace_files/cat_write.scap
list_sub_bare:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_bare.yaml
trace_file: trace_files/cat_write.scap
list_sub_whitespace:
detect: True
detect_level: WARNING
rules_file:
- rules/list_sub_whitespace.yaml
trace_file: trace_files/cat_write.scap
list_order:
detect: True
detect_level: WARNING
rules_file:
- rules/list_order.yaml
trace_file: trace_files/cat_write.scap
macro_order:
detect: True
detect_level: WARNING
rules_file:
- rules/macro_order.yaml
trace_file: trace_files/cat_write.scap
rule_order:
detect: True
detect_level: WARNING
rules_file:
- rules/rule_order.yaml
trace_file: trace_files/cat_write.scap
endswith:
detect: True
detect_level: WARNING
rules_file:
- rules/endswith.yaml
trace_file: trace_files/cat_write.scap
invalid_not_yaml:
exit_status: 1
stdout_is: |+
1 errors:
Rules content is not yaml
---
This is not yaml
---
validate_rules_file:
- rules/invalid_not_yaml.yaml
trace_file: trace_files/cat_write.scap
invalid_not_array:
exit_status: 1
stdout_is: |+
1 errors:
Rules content is not yaml array of objects
---
foo: bar
---
validate_rules_file:
- rules/invalid_not_array.yaml
trace_file: trace_files/cat_write.scap
invalid_array_item_not_object:
exit_status: 1
stdout_is: |+
1 errors:
Unexpected element of type string. Each element should be a yaml associative array.
---
- foo
---
validate_rules_file:
- rules/invalid_array_item_not_object.yaml
trace_file: trace_files/cat_write.scap
invalid_engine_version_not_number:
exit_status: 1
stdout_is: |+
1 errors:
Value of required_engine_version must be a number
---
- required_engine_version: not-a-number
---
validate_rules_file:
- rules/invalid_engine_version_not_number.yaml
trace_file: trace_files/cat_write.scap
invalid_yaml_parse_error:
exit_status: 1
stdout_is: |+
1 errors:
mapping values are not allowed in this context
---
this : is : not : yaml
---
validate_rules_file:
- rules/invalid_yaml_parse_error.yaml
trace_file: trace_files/cat_write.scap
invalid_list_without_items:
exit_status: 1
stdout_is: |+
1 errors:
List must have property items
---
- list: bad_list
no_items: foo
---
validate_rules_file:
- rules/invalid_list_without_items.yaml
trace_file: trace_files/cat_write.scap
invalid_macro_without_condition:
exit_status: 1
stdout_is: |+
1 errors:
Macro must have property condition
---
- macro: bad_macro
nope: 1
---
validate_rules_file:
- rules/invalid_macro_without_condition.yaml
trace_file: trace_files/cat_write.scap
invalid_rule_without_output:
exit_status: 1
stdout_is: |+
1 errors:
Rule must have property output
---
- rule: no output rule
desc: some desc
condition: evt.type=fork
priority: INFO
---
validate_rules_file:
- rules/invalid_rule_without_output.yaml
trace_file: trace_files/cat_write.scap
invalid_append_rule_without_condition:
exit_status: 1
stdout_is: |+
1 errors:
Rule must have exceptions or condition property
---
- rule: no condition rule
append: true
---
validate_rules_file:
- rules/invalid_append_rule_without_condition.yaml
trace_file: trace_files/cat_write.scap
invalid_append_macro_dangling:
exit_status: 1
stdout_is: |+
1 errors:
Macro dangling append has 'append' key but no macro by that name already exists
---
- macro: dangling append
condition: and evt.type=execve
append: true
---
validate_rules_file:
- rules/invalid_append_macro_dangling.yaml
trace_file: trace_files/cat_write.scap
invalid_list_append_dangling:
exit_status: 1
stdout_is: |+
1 errors:
List my_list has 'append' key but no list by that name already exists
---
- list: my_list
items: [not-cat]
append: true
---
validate_rules_file:
- rules/list_append_failure.yaml
trace_file: trace_files/cat_write.scap
invalid_rule_append_dangling:
exit_status: 1
stdout_is: |+
1 errors:
Rule my_rule has 'append' key but no rule by that name already exists
---
- rule: my_rule
condition: evt.type=open
append: true
---
validate_rules_file:
- rules/rule_append_failure.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_macro:
exit_status: 1
stdout_contains: |+
.*invalid_base_macro.yaml: Ok
.*invalid_overwrite_macro.yaml: 1 errors:
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
---
- macro: some macro
condition: foo
append: false
---
validate_rules_file:
- rules/invalid_base_macro.yaml
- rules/invalid_overwrite_macro.yaml
trace_file: trace_files/cat_write.scap
invalid_append_macro:
exit_status: 1
stdout_contains: |+
.*invalid_base_macro.yaml: Ok
.*invalid_append_macro.yaml: 1 errors:
Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
---
- macro: some macro
condition: evt.type=execve
- macro: some macro
condition: foo
append: true
---
validate_rules_file:
- rules/invalid_base_macro.yaml
- rules/invalid_append_macro.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_macro_multiple_docs:
exit_status: 1
stdout_is: |+
1 errors:
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
---
- macro: some macro
condition: foo
append: false
---
validate_rules_file:
- rules/invalid_overwrite_macro_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_append_macro_multiple_docs:
exit_status: 1
stdout_is: |+
1 errors:
Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
---
- macro: some macro
condition: evt.type=execve
- macro: some macro
condition: foo
append: true
---
validate_rules_file:
- rules/invalid_append_macro_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_rule:
exit_status: 1
stdout_contains: |+
.*invalid_base_rule.yaml: Ok
.*invalid_overwrite_rule.yaml: 1 errors:
Undefined macro 'bar' used in filter.
---
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: false
---
validate_rules_file:
- rules/invalid_base_rule.yaml
- rules/invalid_overwrite_rule.yaml
trace_file: trace_files/cat_write.scap
invalid_append_rule:
exit_status: 1
stdout_contains: |+
.*invalid_base_rule.yaml: Ok
.*invalid_append_rule.yaml: 1 errors:
Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
---
- rule: some rule
desc: some desc
condition: evt.type=open
output: some output
priority: INFO
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: true
---
validate_rules_file:
- rules/invalid_base_rule.yaml
- rules/invalid_append_rule.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_rule_multiple_docs:
exit_status: 1
stdout_is: |+
1 errors:
Undefined macro 'bar' used in filter.
---
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: false
---
validate_rules_file:
- rules/invalid_overwrite_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_append_rule_multiple_docs:
exit_status: 1
stdout_contains: |+
Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
---
- rule: some rule
desc: some desc
condition: evt.type=open
output: some output
priority: INFO
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: true
---
validate_rules_file:
- rules/invalid_append_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_missing_rule_name:
exit_status: 1
stdout_is: |+
1 errors:
Rule name is empty
---
- rule:
desc: some desc
condition: evt.type=execve
output: some output
---
validate_rules_file:
- rules/invalid_missing_rule_name.yaml
trace_file: trace_files/cat_write.scap
invalid_missing_list_name:
exit_status: 1
stdout_is: |+
1 errors:
List name is empty
---
- list:
items: [foo]
---
validate_rules_file:
- rules/invalid_missing_list_name.yaml
trace_file: trace_files/cat_write.scap
invalid_missing_macro_name:
exit_status: 1
stdout_is: |+
1 errors:
Macro name is empty
---
- macro:
condition: evt.type=execve
---
validate_rules_file:
- rules/invalid_missing_macro_name.yaml
trace_file: trace_files/cat_write.scap
invalid_rule_output:
exit_status: 1
stdout_is: |+
1 errors:
Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
---
- rule: rule_with_invalid_output
desc: A rule with an invalid output field
condition: evt.type=open
output: "An open was seen %not_a_real_field"
priority: WARNING
---
validate_rules_file:
- rules/invalid_rule_output.yaml
trace_file: trace_files/cat_write.scap
disabled_rules:
detect: False
rules_file:
- rules/empty_rules.yaml
- rules/single_rule.yaml
disabled_rules:
- open_from_cat
trace_file: trace_files/cat_write.scap
disabled_rules_using_substring:
detect: False
rules_file:
- rules/empty_rules.yaml
- rules/single_rule.yaml
disabled_rules:
- "open_from"
trace_file: trace_files/cat_write.scap
disabled_rules_using_enabled_flag:
detect: False
rules_file:
- rules/single_rule_enabled_flag.yaml
trace_file: trace_files/cat_write.scap
disabled_and_enabled_rules_1:
exit_status: 1
stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting."
disable_tags: [a]
run_tags: [a]
rules_file:
- rules/single_rule.yaml
trace_file: trace_files/cat_write.scap
disabled_and_enabled_rules_2:
exit_status: 1
stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting."
disabled_rules:
- "open.*"
run_tags: [a]
rules_file:
- rules/single_rule.yaml
trace_file: trace_files/cat_write.scap
null_output_field:
detect: True
detect_level: WARNING
rules_file:
- rules/null_output_field.yaml
trace_file: trace_files/cat_write.scap
stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."
stdout_output_strict:
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule.yaml
conf_file: confs/stdout_output.yaml
trace_file: trace_files/cat_write.scap
time_iso_8601: true
output_strictly_contains:
- stdout: output_files/single_rule_with_cat_write.txt
stdout_output_json_strict:
json_output: True
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule_with_tags.yaml
conf_file: confs/stdout_output.yaml
trace_file: trace_files/cat_write.scap
time_iso_8601: true
output_strictly_contains:
- stdout: output_files/single_rule_with_cat_write.json
file_output_strict:
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule.yaml
conf_file: confs/file_output.yaml
trace_file: trace_files/cat_write.scap
time_iso_8601: true
output_strictly_contains:
- /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt
program_output_strict:
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule.yaml
conf_file: confs/program_output.yaml
trace_file: trace_files/cat_write.scap
time_iso_8601: true
output_strictly_contains:
- /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt
grpc_unix_socket_outputs:
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule_with_tags.yaml
conf_file: confs/grpc_unix_socket.yaml
trace_file: trace_files/cat_write.scap
run_duration: 5
time_iso_8601: true
grpc:
address: unix:///tmp/falco/falco.sock
proto: outputs.proto
service: falco.outputs.service
method: get
# protobuf text format
results:
- "seconds:1470327477 nanos:881781397"
- "priority: WARNING"
- "rule: \"open_from_cat\""
- "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\""
# output fields
- "key: \"evt.time.iso8601\""
- "value: \"2016-08-04T16:17:57.881781397+0000\""
- "key: \"proc.cmdline\""
- "value: \"cat /dev/null\""
# For the hostname, since we don't know that beforehand,
# only check the field presence
- "hostname: "
#tags
- "tags: \"filesystem\""
- "tags: \"process\""
- "tags: \"testing\""
detect_counts:
detect: True
detect_level: WARNING
trace_file: traces-positive/falco-event-generator.scap
detect_counts:
- "Write below binary dir": 1
- "Read sensitive file untrusted": 3
- "Run shell untrusted": 1
- "Write below rpm database": 1
- "Write below etc": 1
- "System procs network activity": 1
- "Mkdir binary dirs": 1
- "System user interactive": 1
- "DB program spawned process": 1
- "Non sudo setuid": 1
- "Create files below dev": 1
- "Modify binary dirs": 2
- "Change thread namespace": 0
disabled_tags_a:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
disable_tags: [a]
detect_counts:
- open_1: 0
- open_2: 1
- open_3: 1
- open_4: 0
- open_5: 0
- open_6: 1
- open_7: 0
- open_8: 0
- open_9: 0
- open_10: 0
- open_11: 1
- open_12: 1
- open_13: 1
disabled_tags_b:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
disable_tags: [b]
detect_counts:
- open_1: 1
- open_2: 0
- open_3: 1
- open_4: 0
- open_5: 1
- open_6: 0
- open_7: 0
- open_8: 0
- open_9: 1
- open_10: 0
- open_11: 1
- open_12: 1
- open_13: 1
disabled_tags_c:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
disable_tags: [c]
detect_counts:
- open_1: 1
- open_2: 1
- open_3: 0
- open_4: 1
- open_5: 0
- open_6: 0
- open_7: 0
- open_8: 1
- open_9: 0
- open_10: 0
- open_11: 1
- open_12: 1
- open_13: 1
disabled_tags_ab:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
disable_tags: [a, b]
detect_counts:
- open_1: 0
- open_2: 0
- open_3: 1
- open_4: 0
- open_5: 0
- open_6: 0
- open_7: 0
- open_8: 0
- open_9: 0
- open_10: 0
- open_11: 1
- open_12: 1
- open_13: 1
disabled_tags_abc:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
disable_tags: [a, b, c]
detect_counts:
- open_1: 0
- open_2: 0
- open_3: 0
- open_4: 0
- open_5: 0
- open_6: 0
- open_7: 0
- open_8: 0
- open_9: 0
- open_10: 0
- open_11: 1
- open_12: 1
- open_13: 1
run_tags_a:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [a]
detect_counts:
- open_1: 1
- open_2: 0
- open_3: 0
- open_4: 1
- open_5: 1
- open_6: 0
- open_7: 1
- open_8: 1
- open_9: 1
- open_10: 1
- open_11: 0
- open_12: 0
- open_13: 0
run_tags_b:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [b]
detect_counts:
- open_1: 0
- open_2: 1
- open_3: 0
- open_4: 1
- open_5: 0
- open_6: 1
- open_7: 1
- open_8: 1
- open_9: 0
- open_10: 1
- open_11: 0
- open_12: 0
- open_13: 0
run_tags_c:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [c]
detect_counts:
- open_1: 0
- open_2: 0
- open_3: 1
- open_4: 0
- open_5: 1
- open_6: 1
- open_7: 1
- open_8: 0
- open_9: 1
- open_10: 1
- open_11: 0
- open_12: 0
- open_13: 0
run_tags_ab:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [a, b]
detect_counts:
- open_1: 1
- open_2: 1
- open_3: 0
- open_4: 1
- open_5: 1
- open_6: 1
- open_7: 1
- open_8: 1
- open_9: 1
- open_10: 1
- open_11: 0
- open_12: 0
- open_13: 0
run_tags_bc:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [b, c]
detect_counts:
- open_1: 0
- open_2: 1
- open_3: 1
- open_4: 1
- open_5: 1
- open_6: 1
- open_7: 1
- open_8: 1
- open_9: 1
- open_10: 1
- open_11: 0
- open_12: 0
- open_13: 0
run_tags_abc:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [a, b, c]
detect_counts:
- open_1: 1
- open_2: 1
- open_3: 1
- open_4: 1
- open_5: 1
- open_6: 1
- open_7: 1
- open_8: 1
- open_9: 1
- open_10: 1
- open_11: 0
- open_12: 0
- open_13: 0
run_tags_d:
detect: True
detect_level: WARNING
rules_file:
- rules/tagged_rules.yaml
trace_file: trace_files/open-multiple-files.scap
run_tags: [d]
detect_counts:
- open_1: 0
- open_2: 0
- open_3: 0
- open_4: 0
- open_5: 0
- open_6: 0
- open_7: 0
- open_8: 0
- open_9: 0
- open_10: 0
- open_11: 1
- open_12: 0
- open_13: 0
list_append_failure:
exit_status: 1
stderr_contains: "List my_list has 'append' key but no list by that name already exists"
rules_file:
- rules/list_append_failure.yaml
trace_file: trace_files/cat_write.scap
list_append:
detect: True
detect_level: WARNING
rules_file:
- rules/list_append.yaml
trace_file: trace_files/cat_write.scap
list_append_false:
detect: False
rules_file:
- rules/list_append_false.yaml
trace_file: trace_files/cat_write.scap
macro_append_failure:
exit_status: 1
stderr_contains: "Macro my_macro has 'append' key but no macro by that name already exists"
rules_file:
- rules/macro_append_failure.yaml
trace_file: trace_files/cat_write.scap
macro_append:
detect: True
detect_level: WARNING
rules_file:
- rules/macro_append.yaml
trace_file: trace_files/cat_write.scap
macro_append_false:
detect: False
rules_file:
- rules/macro_append_false.yaml
trace_file: trace_files/cat_write.scap
rule_append_failure:
exit_status: 1
stderr_contains: "Rule my_rule has 'append' key but no rule by that name already exists"
rules_file:
- rules/rule_append_failure.yaml
trace_file: trace_files/cat_write.scap
rule_append_skipped:
detect: False
priority: ERROR
rules_file:
- rules/single_rule.yaml
- rules/append_single_rule.yaml
trace_file: trace_files/cat_write.scap
rule_append:
detect: True
detect_level: WARNING
rules_file:
- rules/rule_append.yaml
trace_file: trace_files/cat_write.scap
rule_append_false:
detect: False
rules_file:
- rules/rule_append_false.yaml
trace_file: trace_files/cat_write.scap
json_output_no_output_property:
json_output: True
json_include_output_property: False
detect: True
detect_level: WARNING
rules_file:
- rules/rule_append.yaml
trace_file: trace_files/cat_write.scap
stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)"
json_output_no_tags_property:
json_output: True
json_include_tags_property: False
detect: True
detect_level: WARNING
rules_file:
- rules/rule_append.yaml
trace_file: trace_files/cat_write.scap
stdout_contains: "^(?!.*\"tags\":[ ]*\\[.*\\],.*)"
json_output_empty_tags_property:
json_output: True
detect: True
detect_level: WARNING
rules_file:
- rules/rule_append.yaml
trace_file: trace_files/cat_write.scap
stdout_contains: "^(.*\"tags\":[ ]*\\[\\],.*)"
in_operator_netmasks:
detect: True
detect_level: INFO
rules_file:
- rules/detect_connect_using_in.yaml
trace_file: trace_files/connect_localhost.scap
syscalls:
detect: True
detect_level: INFO
rules_file:
- rules/syscalls.yaml
rules_warning:
- detect_madvise
detect_counts:
- detect_madvise: 2
- detect_open: 2
trace_file: trace_files/syscall.scap
all_events: True
catchall_order:
detect: True
detect_level: INFO
rules_file:
- rules/catchall_order.yaml
detect_counts:
- open_dev_null: 1
dev_null: 0
trace_file: trace_files/cat_write.scap
skip_unknown_noevt:
detect: False
rules_warning:
- Contains Unknown Event And Skipping
rules_file:
- rules/skip_unknown_evt.yaml
trace_file: trace_files/cat_write.scap
skip_unknown_prefix:
detect: False
rules_file:
- rules/skip_unknown_prefix.yaml
trace_file: trace_files/cat_write.scap
skip_unknown_error:
exit_status: 1
stderr_contains: |+
Could not load rules file.*skip_unknown_error.yaml: 1 errors:
Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
---
- rule: Contains Unknown Event And Not Skipping
desc: Contains an unknown event
condition: proc.nobody=cat
output: Never
skip-if-unknown-filter: false
priority: INFO
---
rules_file:
- rules/skip_unknown_error.yaml
trace_file: trace_files/cat_write.scap
skip_unknown_unspec_error:
exit_status: 1
stderr_contains: |+
Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
---
- rule: Contains Unknown Event And Unspecified
desc: Contains an unknown event
condition: proc.nobody=cat
output: Never
priority: INFO
---
rules_file:
- rules/skip_unknown_unspec.yaml
trace_file: trace_files/cat_write.scap
engine_version_mismatch:
exit_status: 1
stderr_contains: Rules require engine version 9999999, but engine version is
rules_file:
- rules/engine_version_mismatch.yaml
trace_file: trace_files/cat_write.scap
monitor_syscall_drops_none:
exit_status: 0
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_none.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_ignore:
exit_status: 0
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_ignore.yaml
trace_file: trace_files/ping_sendto.scap
stderr_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
stderr_not_contains:
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_ignore_and_log:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_ignore_log.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drop action \"log\" does not make sense with the \"ignore\" action"
monitor_syscall_drops_threshold_oor:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_oor.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_threshold_neg:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_neg.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_log:
exit_status: 0
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_log.yaml
trace_file: trace_files/ping_sendto.scap
stderr_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_alert:
exit_status: 0
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_alert.yaml
trace_file: trace_files/ping_sendto.scap
stderr_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
stderr_not_contains:
- "Falco internal: syscall event drop"
stdout_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_exit:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_exit.yaml
trace_file: trace_files/ping_sendto.scap
stderr_contains:
- "event drop detected: 1 occurrences"
- "num times actions taken: 1"
- "Falco internal: syscall event drop"
- "Exiting."
stdout_not_contains:
- "Falco internal: syscall event drop"
time_iso_8601:
time_iso_8601: true
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule.yaml
trace_file: trace_files/cat_write.scap
stdout_contains: "2016-08-04T16:17:57.882054739\\+0000: Warning An open was seen"
stderr_contains: "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\d\\+0000"
Reference in New Issue View Git Blame Copy Permalink