rule update: fix syntax error

Signed-off-by: kaizhe <derek0405@gmail.com>
falcosecurity · Jun 28, 2019 · 35a5193 · 35a5193
1 parent 8a765e2
commit 35a5193
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -313,15 +313,15 @@
 
 # RFC1918 addresses were assigned for private network usage
 - list: rfc_1918_addresses
-  items: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  items: ['"10.0.0.0/8"', '"172.16.0.0/12"', '"192.168.0.0/16"']
 
 - macro: outbound
   condition: >
     (((evt.type = connect and evt.dir=<) or
       (evt.type in (sendto,sendmsg) and evt.dir=< and
        fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
      (fd.typechar = 4 or fd.typechar = 6) and
-     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and (not fd.snet in rfc_1918_addresses) and
+     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
      (evt.rawres >= 0 or evt.res = EINPROGRESS))
 
 # Very similar to inbound/outbound, but combines the tests together