Unit test for fd.net + in operator fixes

Tests fix for #339. Depends on draios/sysdig#1091.
falcosecurity · Apr 2, 2018 · ffe8e45 · ffe8e45
1 parent 559240b
commit ffe8e45
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
@@ -663,4 +663,11 @@ trace_files: !mux
     rules_file:
       - rules/rule_append.yaml
     trace_file: trace_files/cat_write.scap
-    stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)"
+    stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)"
+
+  in_operator_netmasks:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - rules/detect_connect_using_in.yaml
+    trace_file: trace_files/connect_localhost.scap
diff --git a/test/rules/detect_connect_using_in.yaml b/test/rules/detect_connect_using_in.yaml
@@ -0,0 +1,6 @@
+- rule: Localhost connect
+  desc: Detect any connect to the localhost network, using fd.net and the in operator
+  condition: evt.type=connect and fd.net in ("127.0.0.1/24")
+  output: Program connected to localhost network
+    (user=%user.name command=%proc.cmdline connection=%fd.name)
+  priority: INFO
diff --git a/test/trace_files/connect_localhost.scap b/test/trace_files/connect_localhost.scap