Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: filter file capture by ELF type #3361

Merged
merged 1 commit into from
Sep 3, 2023
Merged

feat: filter file capture by ELF type #3361

merged 1 commit into from
Sep 3, 2023

Conversation

AlonZivony
Copy link
Collaborator

1. Explain what the PR does

Add a filter for file IO capture filtering ELF files. ELF files are the most important files to capture in security research, so filtering according to ELF files is very effective to reduce noise.

fix #3359

@AlonZivony AlonZivony force-pushed the feature/elf-capture-filter branch 6 times, most recently from 01a5a31 to ce9375b Compare August 13, 2023 10:51
yanivagman
yanivagman reviewed Aug 20, 2023
View reviewed changes
pkg/ebpf/c/capture_filtering.h Outdated Show resolved Hide resolved
pkg/ebpf/c/capture_filtering.h Show resolved Hide resolved
pkg/ebpf/c/capture_filtering.h
file_id.ctime = 0;
if (start_pos == 0) {
// Check if header is matching ELF header
u8 header[FILE_MAGIC_HDR_SIZE] = {};
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this array be initialized to 0?
This can be important if header size is less than FILE_MAGIC_HDR_SIZE

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So using the syntax of x = {} should initialized the value to zero as far as I know.
I have checked it once with @roikol and it worked.

pkg/ebpf/c/maps.h Outdated Show resolved Hide resolved
@AlonZivony
feat: filter file capture by ELF type
20635b9 
Add a filter for file IO capture filtering ELF files.
ELF files are the most important files to capture in security research,
so filtering according to ELF files is very effective to reduce noise.
yanivagman
yanivagman approved these changes Sep 3, 2023
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yanivagman yanivagman merged commit fd47dfb into aquasecurity:main Sep 3, 2023
26 checks passed
AlonZivony added a commit to AlonZivony/tracee that referenced this pull request Sep 3, 2023
@AlonZivony
Revert "feat: filter file capture by ELF type (aquasecurity#3361)"
ffce6f1 
This reverts commit fd47dfb.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

Assignees

@AlonZivony AlonZivony

Labels
area/ebpf area/events area/flags area/UX kind/documentation kind/feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Capture files ELF filter
2 participants
@AlonZivony @yanivagman