New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: signature event not triggering if base filtered #3281
fix: signature event not triggering if base filtered #3281
Conversation
047d2f5
to
a76de90
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Tested with:
sudo ./dist/tracee -p pol1.yaml -p pol2.yaml -p pol3.yaml -o json
and sudo strace ls
{"timestamp":1687954737858348592,"threadStartTime":1687954737858256434,"processorId":2,"processId":214948,"cgroupId":15952,"threadId":214948,"parentProcessId":214946,"hostProcessId":214948,"hostThreadId":214948,"hostParentProcessId":214946,"userId":0,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"strace","hostName":"hb","containerId":"","container":{},"kubernetes":{},"eventId":"6018","eventName":"anti_debugging","matchedPolicies":["pol1","pol3"],"argsNum":0,"returnValue":0,"syscall":"","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"args":[],"metadata":{"Version":"1","Description":"A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.","Tags":null,"Properties":{"Category":"defense-evasion","Kubernetes_Technique":"","Severity":1,"Technique":"Debugger Evasion","external_id":"T1622","id":"attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391","signatureID":"TRC-102","signatureName":"Anti-Debugging detected"}}}
cat pol*.yaml
name: pol1
description: traces all signature events
defaultActions:
- log
scope:
- global
rules:
- event: ptrace
filters:
- userId=1000
- event: anti_debugging
name: pol2
description: traces all signature events
defaultActions:
- log
scope:
- global
rules:
- event: ptrace
filters:
- userId=1001
name: pol3
description: traces all signature events
defaultActions:
- log
scope:
- global
rules:
- event: anti_debugging
filters:
- userId=0
a76de90
to
6533461
Compare
6533461
to
3aeca87
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
3aeca87
to
1d02f8e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
1. Explain what the PR does
Fix #3207
This PR builds a map between a base event and its signatures, allowing us to check after the
decode
stage if the event should be passed down the pipeline because there is a signature depending on it, or in case the userland filter out the event, ignore it and continue.2. Explain how to test it
The
anti_debugging
signature should be triggered even though we are filtering theptrace
event for the uid 1000.3. Other comments