Destroyed Rule syntax and design (markdown)

Rule-syntax-and-design.md

@@ -1,77 +0,0 @@
-# Digwatch rules
-
-## Goals
-
-Our goal is to provide a syntax that is:
-- Flexible
-- Concise
-- A superset of existing sysdig event names and filter rules (e.g. leverages existing user's knowledge of sysdig)
-
-## Approach
-
-A ruleset is list of rules, each one consisting of a filter and an output. The syntax of a rule is `<filter> | <output>`, consisting of a filter (in regular sysdig filter syntax) followed by an output (in regular sysdig output format).
-
-The processor handles an incoming event by evaluating it against each rule's filter. If the rule passes a filter, then the corresponding output is emitted, and further rules are not processed. If the rule fails all filters, then the event is dropped. 
-
-For example:
-
-```
-proc.pname=bash and syscall.type=write and fd.directory contains /sbin | %proc.name %fd.name
-syscall.type=accept and fd.lport!=80 | %proc.name %syscall.type %fd.name
-```
-
-## Macros
-Macros are a mechanism to factor out common sub-filters that are repeated in many rules. The syntax of a macro is <name>: <filter>.
-
-For example:
-```
-write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
-interactive: evt.type=execve and proc.pname=bash
-```
-
-With the above two macros, we can rewrite the filter 
-`evt.type=execve and proc.pname=bash (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename fd.directory contains /sbin or fd.directory contains /usr/bin | %proc.name %syscall.type` 
-
-as
-
-`interactive and write and fd.directory contains /sbin or fd.directory contains /usr/bin`. 
-
-And adding another macro `interactive: fd.directory contains /sbin or fd.directory contains /usr/bin`, we can shorten the filter further to:
-
-`interactive and write and sysdirs`.
-
-
-## Full Example
-
-```
-read:       (syscall.type=open or syscall.type=openat) and evt.arg.flags contains O_RDONLY
-write:      (((syscall.type=open and evt.dir=<) or (syscall.type=openat and evt.dir=>)) 
-                and (evt.arg.flags contains O_WRONLY or evt.arg.flags contains O_RDWR or evt.arg.flags contains O_CREAT))
-             or (syscall.type=mkdir and evt.dir=>) or (syscall.type=creat and evt.dir=<)
-             or (syscall.type=chmod and evt.dir=<) or (syscall.type=rename and evt.dir=<)
-inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
-outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
-createp: (syscall.type=clone or syscall.type=execve) and evt.dir=<
-
-has_error: evt.buffer contains error or evt.buffer contains Error or evt.buffer contains ERROR
-bindirs: fd.directory contains /sbin or fd.directory contains /bin or fd.directory contains /usr/bin
-           or fd.directory contains /boot or fd.directory contains /lib
-logs: fd.directory contains /var/log or fd.filename contains *.log
-
-file_info: %proc.name %syscall.type %fd.name %evt.arg.flags
-file_contents: %evt.buffer
-network_info: %proc.name %syscall.type %fd.l4proto %fd.name
-
-interactive: evt.type=execve and proc.pname=bash
-db_servers: fd.rip=10.1.2.1 or fd.rip=10.1.2.2 or fd.rip=10.1.2.3
-
-
-write and bindirs | file_info
-syscall.type=chmod and bindirs | file_info
-
-interactive and write | file_info
-write and logs and has_error | file_info file_contents
-
-outbound and not db_servers and fd.rport!=3306 | network_info
-inbound and fd.lport!=80 | network_info
-```