Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule_engine: check payload dicriminant before ruleset #211

Merged
merged 2 commits into from Sep 27, 2023
Merged

rule_engine: check payload dicriminant before ruleset #211

merged 2 commits into from Sep 27, 2023

Conversation

banditopazzo
Copy link
Member

This pr introduces a new PayloadDiscriminant type to capture the rule type field.

Rulesets are stored per discriminant and tested after having checked the discriminant.

It also improves performances in case there are a lot of rules defined on a single payload type, because not these rules won't be checked for other types

Fix: #210

@banditopazzo banditopazzo marked this pull request as ready for review September 26, 2023 09:58
vadorovsky
vadorovsky reviewed Sep 27, 2023
View reviewed changes
Copy link
Member

@vadorovsky vadorovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good. Is there any way to add a test, since we seem to have a clear reproducer of the issue?

@banditopazzo
Copy link
Member Author

you can test the behaviour before and after this pr . you can use the examples from the original issue:

- name: Test curl request
  type: DnsQuery
  condition: header.image == "/usr/bin/curl"
- name: Test curl response
  type: DnsResponse
  condition: header.image == "/usr/bin/curl"

these both were matching on every curl events, or

- name: Test all requests
  type: DnsQuery
  condition: header.source == "network-monitor"

this was matching for every event from network-monitor.

And also this rule was incorrectly considered valid:

- name: Test curl response
  type: NonExistentEvent
  condition: header.image == "/usr/bin/curl"

After the changes it should be solved, considering the type even for conditions only on the payload

@banditopazzo
Copy link
Member Author

Adding test it's hard o maybe impossible because Event fields are private and it's impossible to create inside rule-engine module

vadorovsky
vadorovsky approved these changes Sep 27, 2023
View reviewed changes
Copy link
Member

@vadorovsky vadorovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, then I'm happy to accept it as it is :)

@vadorovsky vadorovsky merged commit 07677de into main Sep 27, 2023
17 checks passed
@vadorovsky vadorovsky deleted the ruleset_discriminant branch September 27, 2023 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadorovsky vadorovsky vadorovsky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rule engine doesn't care about rule type if no conditions are defined on the payload
2 participants
@banditopazzo @vadorovsky