"in" operator may not be working on non-string filterchecks #308
Comments
Merged
|
To add more context, I think this problem only appears in falco due to the different filtercheck parser implementations. Falco uses one driven primarily by lua and lpeg, while sysdig has a separate internal parser implementation. |
mstemm
added a commit
that referenced
this issue
Jan 24, 2018
New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308.
mstemm
added a commit
that referenced
this issue
Jan 25, 2018
New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308.
mstemm
added a commit
that referenced
this issue
Feb 2, 2018
New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308.
mstemm
added a commit
that referenced
this issue
Apr 13, 2018
New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308.
mstemm
added a commit
that referenced
this issue
Apr 18, 2018
New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308.
mstemm
added a commit
that referenced
this issue
Apr 18, 2018
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.
leogr
pushed a commit
to falcosecurity/rules
that referenced
this issue
Dec 21, 2022
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on falcosecurity/falco#308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.
leogr
pushed a commit
to falcosecurity/rules
that referenced
this issue
Dec 21, 2022
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on falcosecurity/falco#308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I suspect that the "in" operator isn't actually working on non-string filterchecks e.g. "fd.sport in (443, 53, 80)". I need to check but I think the values from the expression are being treated as strings which won't compare properly against the (numeric) fd.sport.
The text was updated successfully, but these errors were encountered: