diff --git a/Rule-syntax-and-design.md b/Rule-syntax-and-design.md deleted file mode 100644 index fbdc5ca..0000000 --- a/Rule-syntax-and-design.md +++ /dev/null @@ -1,77 +0,0 @@ -# Digwatch rules - -## Goals - -Our goal is to provide a syntax that is: -- Flexible -- Concise -- A superset of existing sysdig event names and filter rules (e.g. leverages existing user's knowledge of sysdig) - -## Approach - -A ruleset is list of rules, each one consisting of a filter and an output. The syntax of a rule is ` | `, consisting of a filter (in regular sysdig filter syntax) followed by an output (in regular sysdig output format). - -The processor handles an incoming event by evaluating it against each rule's filter. If the rule passes a filter, then the corresponding output is emitted, and further rules are not processed. If the rule fails all filters, then the event is dropped. - -For example: - -``` -proc.pname=bash and syscall.type=write and fd.directory contains /sbin | %proc.name %fd.name -syscall.type=accept and fd.lport!=80 | %proc.name %syscall.type %fd.name -``` - -## Macros -Macros are a mechanism to factor out common sub-filters that are repeated in many rules. The syntax of a macro is : . - -For example: -``` -write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename -interactive: evt.type=execve and proc.pname=bash -``` - -With the above two macros, we can rewrite the filter -`evt.type=execve and proc.pname=bash (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename fd.directory contains /sbin or fd.directory contains /usr/bin | %proc.name %syscall.type` - -as - -`interactive and write and fd.directory contains /sbin or fd.directory contains /usr/bin`. - -And adding another macro `interactive: fd.directory contains /sbin or fd.directory contains /usr/bin`, we can shorten the filter further to: - -`interactive and write and sysdirs`. - - -## Full Example - -``` -read: (syscall.type=open or syscall.type=openat) and evt.arg.flags contains O_RDONLY -write: (((syscall.type=open and evt.dir=<) or (syscall.type=openat and evt.dir=>)) - and (evt.arg.flags contains O_WRONLY or evt.arg.flags contains O_RDWR or evt.arg.flags contains O_CREAT)) - or (syscall.type=mkdir and evt.dir=>) or (syscall.type=creat and evt.dir=<) - or (syscall.type=chmod and evt.dir=<) or (syscall.type=rename and evt.dir=<) -inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<) -outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6) -createp: (syscall.type=clone or syscall.type=execve) and evt.dir=< - -has_error: evt.buffer contains error or evt.buffer contains Error or evt.buffer contains ERROR -bindirs: fd.directory contains /sbin or fd.directory contains /bin or fd.directory contains /usr/bin - or fd.directory contains /boot or fd.directory contains /lib -logs: fd.directory contains /var/log or fd.filename contains *.log - -file_info: %proc.name %syscall.type %fd.name %evt.arg.flags -file_contents: %evt.buffer -network_info: %proc.name %syscall.type %fd.l4proto %fd.name - -interactive: evt.type=execve and proc.pname=bash -db_servers: fd.rip=10.1.2.1 or fd.rip=10.1.2.2 or fd.rip=10.1.2.3 - - -write and bindirs | file_info -syscall.type=chmod and bindirs | file_info - -interactive and write | file_info -write and logs and has_error | file_info file_contents - -outbound and not db_servers and fd.rport!=3306 | network_info -inbound and fd.lport!=80 | network_info -``` \ No newline at end of file