# # pseudo filter code start # # filter for arch x86_64 (3221225534) if ($arch == 3221225534) # filter for syscall "fstat64" (4294957286) [priority: 65535] if ($syscall == 4294957286) action ALLOW; # filter for syscall "getegid32" (4294957281) [priority: 65535] if ($syscall == 4294957281) action ALLOW; # filter for syscall "geteuid32" (4294957280) [priority: 65535] if ($syscall == 4294957280) action ALLOW; # filter for syscall "getgid32" (4294957279) [priority: 65535] if ($syscall == 4294957279) action ALLOW; # filter for syscall "getuid32" (4294957275) [priority: 65535] if ($syscall == 4294957275) action ALLOW; # filter for syscall "_llseek" (4294957270) [priority: 65535] if ($syscall == 4294957270) action ALLOW; # filter for syscall "sigreturn" (4294957238) [priority: 65535] if ($syscall == 4294957238) action ALLOW; # filter for syscall "stat64" (4294957234) [priority: 65535] if ($syscall == 4294957234) action ALLOW; # filter for syscall "getrandom" (318) [priority: 65535] if ($syscall == 318) action ALLOW; # filter for syscall "prlimit64" (302) [priority: 65535] if ($syscall == 302) action ALLOW; # filter for syscall "pipe2" (293) [priority: 65535] if ($syscall == 293) action ALLOW; # filter for syscall "eventfd2" (290) [priority: 65535] if ($syscall == 290) action ALLOW; # filter for syscall "epoll_pwait" (281) [priority: 65535] if ($syscall == 281) action ALLOW; # filter for syscall "set_robust_list" (273) [priority: 65535] if ($syscall == 273) action ALLOW; # filter for syscall "epoll_wait" (232) [priority: 65535] if ($syscall == 232) action ALLOW; # filter for syscall "exit_group" (231) [priority: 65535] if ($syscall == 231) action ALLOW; # filter for syscall "clock_gettime" (228) [priority: 65535] if ($syscall == 228) action ALLOW; # filter for syscall "getdents64" (217) [priority: 65535] if ($syscall == 217) action ALLOW; # filter for syscall "epoll_create" (213) [priority: 65535] if ($syscall == 213) action ALLOW; # filter for syscall "sched_getaffinity" (204) [priority: 65535] if ($syscall == 204) action ALLOW; # filter for syscall "futex" (202) [priority: 65535] if ($syscall == 202) action ALLOW; # filter for syscall "gettid" (186) [priority: 65535] if ($syscall == 186) action ALLOW; # filter for syscall "setrlimit" (160) [priority: 65535] if ($syscall == 160) action ALLOW; # filter for syscall "_sysctl" (156) [priority: 65535] if ($syscall == 156) action ERRNO(1); # filter for syscall "mlockall" (151) [priority: 65535] if ($syscall == 151) action ALLOW; # filter for syscall "sigaltstack" (131) [priority: 65535] if ($syscall == 131) action ALLOW; # filter for syscall "getegid" (108) [priority: 65535] if ($syscall == 108) action ALLOW; # filter for syscall "geteuid" (107) [priority: 65535] if ($syscall == 107) action ALLOW; # filter for syscall "getgid" (104) [priority: 65535] if ($syscall == 104) action ALLOW; # filter for syscall "getuid" (102) [priority: 65535] if ($syscall == 102) action ALLOW; # filter for syscall "sysinfo" (99) [priority: 65535] if ($syscall == 99) action ALLOW; # filter for syscall "getrlimit" (97) [priority: 65535] if ($syscall == 97) action ALLOW; # filter for syscall "gettimeofday" (96) [priority: 65535] if ($syscall == 96) action ALLOW; # filter for syscall "fchmod" (91) [priority: 65535] if ($syscall == 91) action ALLOW; # filter for syscall "unlink" (87) [priority: 65535] if ($syscall == 87) action ALLOW; # filter for syscall "mkdir" (83) [priority: 65535] if ($syscall == 83) action ALLOW; # filter for syscall "getdents" (78) [priority: 65535] if ($syscall == 78) action ALLOW; # filter for syscall "fcntl" (72) [priority: 65535] if ($syscall == 72) action ALLOW; # filter for syscall "uname" (63) [priority: 65535] if ($syscall == 63) action ALLOW; # filter for syscall "wait4" (61) [priority: 65535] if ($syscall == 61) action ALLOW; # filter for syscall "exit" (60) [priority: 65535] if ($syscall == 60) action ALLOW; # filter for syscall "clone" (56) [priority: 65535] if ($syscall == 56) action ALLOW; # filter for syscall "getsockname" (51) [priority: 65535] if ($syscall == 51) action ALLOW; # filter for syscall "listen" (50) [priority: 65535] if ($syscall == 50) action ALLOW; # filter for syscall "bind" (49) [priority: 65535] if ($syscall == 49) action ALLOW; # filter for syscall "shutdown" (48) [priority: 65535] if ($syscall == 48) action ALLOW; # filter for syscall "recvmsg" (47) [priority: 65535] if ($syscall == 47) action ALLOW; # filter for syscall "sendmsg" (46) [priority: 65535] if ($syscall == 46) action ALLOW; # filter for syscall "recvfrom" (45) [priority: 65535] if ($syscall == 45) action ALLOW; # filter for syscall "sendto" (44) [priority: 65535] if ($syscall == 44) action ALLOW; # filter for syscall "connect" (42) [priority: 65535] if ($syscall == 42) action ALLOW; # filter for syscall "getpid" (39) [priority: 65535] if ($syscall == 39) action ALLOW; # filter for syscall "nanosleep" (35) [priority: 65535] if ($syscall == 35) action ALLOW; # filter for syscall "madvise" (28) [priority: 65535] if ($syscall == 28) action ALLOW; # filter for syscall "sched_yield" (24) [priority: 65535] if ($syscall == 24) action ALLOW; # filter for syscall "pipe" (22) [priority: 65535] if ($syscall == 22) action ALLOW; # filter for syscall "access" (21) [priority: 65535] if ($syscall == 21) action ALLOW; # filter for syscall "writev" (20) [priority: 65535] if ($syscall == 20) action ALLOW; # filter for syscall "rt_sigreturn" (15) [priority: 65535] if ($syscall == 15) action ALLOW; # filter for syscall "brk" (12) [priority: 65535] if ($syscall == 12) action ALLOW; # filter for syscall "munmap" (11) [priority: 65535] if ($syscall == 11) action ALLOW; # filter for syscall "mmap" (9) [priority: 65535] if ($syscall == 9) action ALLOW; # filter for syscall "lseek" (8) [priority: 65535] if ($syscall == 8) action ALLOW; # filter for syscall "poll" (7) [priority: 65535] if ($syscall == 7) action ALLOW; # filter for syscall "fstat" (5) [priority: 65535] if ($syscall == 5) action ALLOW; # filter for syscall "stat" (4) [priority: 65535] if ($syscall == 4) action ALLOW; # filter for syscall "close" (3) [priority: 65535] if ($syscall == 3) action ALLOW; # filter for syscall "write" (1) [priority: 65535] if ($syscall == 1) action ALLOW; # filter for syscall "read" (0) [priority: 65535] if ($syscall == 0) action ALLOW; # filter for syscall "accept4" (288) [priority: 65533] if ($syscall == 288) if ($a3.hi32 & 0xffffffff == 0) if ($a3.lo32 & 0xfff7f7ff == 0) action ALLOW; # filter for syscall "time" (201) [priority: 65533] if ($syscall == 201) if ($a0.hi32 == 0) if ($a0.lo32 == 0) action ALLOW; # filter for syscall "prctl" (157) [priority: 65533] if ($syscall == 157) if ($a0.hi32 == 0) if ($a0.lo32 == 4) action ALLOW; # filter for syscall "chown" (92) [priority: 65533] if ($syscall == 92) if ($a0.hi32 == 31462) if ($a0.lo32 == 1387171840) action ALLOW; # filter for syscall "chmod" (90) [priority: 65533] if ($syscall == 90) if ($a0.hi32 == 31462) if ($a0.lo32 == 1387171840) action ALLOW; # filter for syscall "kill" (62) [priority: 65533] if ($syscall == 62) if ($a1.hi32 == 0) if ($a1.lo32 == 0) action ALLOW; # filter for syscall "ioctl" (16) [priority: 65533] if ($syscall == 16) if ($a1.hi32 == 0) if ($a1.lo32 == 35147) action ALLOW; # filter for syscall "open" (2) [priority: 65533] if ($syscall == 2) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff5f6ff == 0) action ERRNO(13); # filter for syscall "flock" (73) [priority: 65532] if ($syscall == 73) if ($a1.hi32 == 0) if ($a1.lo32 == 8) action ALLOW; if ($a1.lo32 == 6) action ALLOW; # filter for syscall "rt_sigprocmask" (14) [priority: 65532] if ($syscall == 14) if ($a0.hi32 == 0) if ($a0.lo32 == 2) action ALLOW; if ($a0.lo32 == 1) action ALLOW; # filter for syscall "epoll_ctl" (233) [priority: 65531] if ($syscall == 233) if ($a1.hi32 == 0) if ($a1.lo32 == 3) action ALLOW; if ($a1.lo32 == 2) action ALLOW; if ($a1.lo32 == 1) action ALLOW; # filter for syscall "socketpair" (53) [priority: 65531] if ($syscall == 53) if ($a0.hi32 == 0) if ($a0.lo32 == 1) if ($a1.hi32 == 0) if ($a1.lo32 == 524289) action ALLOW; # filter for syscall "mremap" (25) [priority: 65531] if ($syscall == 25) if ($a3.hi32 == 0) if ($a3.lo32 == 1) action ALLOW; if ($a0.hi32 == 31462) if ($a0.lo32 == 1366200320) action KILL; # filter for syscall "fcntl64" (4294957287) [priority: 65526] if ($syscall == 4294957287) if ($a1.hi32 == 0) if ($a1.lo32 == 4) if ($a2.hi32 == 0) if ($a2.lo32 == 2050) action ALLOW; if ($a1.lo32 == 3) action ALLOW; if ($a1.lo32 == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 1) action ALLOW; if ($a1.lo32 == 1) action ALLOW; # filter for syscall "rt_sigaction" (13) [priority: 65526] if ($syscall == 13) if ($a0.hi32 == 0) if ($a0.lo32 == 25) action ALLOW; if ($a0.lo32 == 17) action ALLOW; if ($a0.lo32 == 15) action ALLOW; if ($a0.lo32 == 13) action ALLOW; if ($a0.lo32 == 12) action ALLOW; if ($a0.lo32 == 10) action ALLOW; if ($a0.lo32 == 2) action ALLOW; if ($a0.lo32 == 1) action ALLOW; # filter for syscall "setsockopt" (54) [priority: 65522] if ($syscall == 54) if ($a1.hi32 == 0) if ($a1.lo32 == 41) if ($a2.hi32 == 0) if ($a2.lo32 == 26) action ALLOW; if ($a1.lo32 == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 32) action ALLOW; if ($a2.lo32 == 8) action ALLOW; if ($a2.lo32 == 7) action ALLOW; if ($a2.lo32 == 2) action ALLOW; if ($a1.lo32 == 0) if ($a2.hi32 == 0) if ($a2.lo32 == 19) action ALLOW; # filter for syscall "getsockopt" (55) [priority: 65520] if ($syscall == 55) if ($a1.hi32 == 0) if ($a1.lo32 == 41) if ($a2.hi32 == 0) if ($a2.lo32 == 80) action ALLOW; if ($a1.lo32 == 6) if ($a2.hi32 == 0) if ($a2.lo32 == 11) action ALLOW; if ($a1.lo32 == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 30) action ALLOW; if ($a2.lo32 == 7) action ALLOW; if ($a2.lo32 == 4) action ALLOW; if ($a1.lo32 == 0) if ($a2.hi32 == 0) if ($a2.lo32 == 80) action ALLOW; # filter for syscall "mmap2" (4294957267) [priority: 65519] if ($syscall == 4294957267) if ($a2.hi32 == 0) if ($a2.lo32 == 5) if ($a3.hi32 == 0) if ($a3.lo32 == 2050) action ALLOW; if ($a2.lo32 == 3) if ($a3.hi32 == 0) if ($a3.lo32 == 131106) action ALLOW; if ($a3.lo32 == 2066) action ALLOW; if ($a3.lo32 == 50) action ALLOW; if ($a3.lo32 == 34) action ALLOW; if ($a2.lo32 == 1) if ($a3.hi32 == 0) if ($a3.lo32 == 2) action ALLOW; if ($a2.lo32 == 0) if ($a3.hi32 == 0) if ($a3.lo32 == 16418) action ALLOW; # filter for syscall "mprotect" (10) [priority: 65518] if ($syscall == 10) if ($a2.hi32 == 0) if ($a2.lo32 == 1) action ALLOW; if ($a2.lo32 == 0) action ALLOW; if ($a0.hi32 > 31462) if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a0.hi32 == 31462) if ($a0.lo32 >= 1366200320) else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; if ($a0.lo32 > 1387174969) if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; # filter for syscall "socket" (41) [priority: 65505] if ($syscall == 41) if ($a0.hi32 == 0) if ($a0.lo32 == 16) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7ffff == 3) if ($a2.hi32 == 0) if ($a2.lo32 == 0) action ALLOW; if ($a0.lo32 == 10) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7f7ff == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 17) action ALLOW; if ($a2.lo32 == 0) action ALLOW; if ($a1.lo32 & 0xfff7f7ff == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 6) action ALLOW; if ($a0.lo32 == 2) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7f7ff == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 17) action ALLOW; if ($a2.lo32 == 0) action ALLOW; if ($a1.lo32 & 0xfff7f7ff == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 6) action ALLOW; if ($a0.lo32 == 1) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7f7ff == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 0) action ALLOW; if ($a1.lo32 & 0xfff7f7ff == 1) action ALLOW; # filter for syscall "rename" (82) [priority: 65480] if ($syscall == 82) if ($a0.hi32 == 31462) if ($a0.lo32 == 1387173113) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387173148) action ALLOW; if ($a0.lo32 == 1387173039) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387173078) action ALLOW; if ($a0.lo32 == 1387172957) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387173000) action ALLOW; if ($a0.lo32 == 1387172855) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172908) action ALLOW; if ($a0.lo32 == 1387172761) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172810) action ALLOW; if ($a0.lo32 == 1387172721) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172685) action ALLOW; if ($a0.lo32 == 1387172645) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172685) action ALLOW; if ($a0.lo32 == 1387172601) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172645) action ALLOW; if ($a0.lo32 == 1387172560) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172523) action ALLOW; if ($a0.lo32 == 1387172482) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172523) action ALLOW; if ($a0.lo32 == 1387172437) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172482) action ALLOW; if ($a0.lo32 == 1387172398) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172363) action ALLOW; if ($a0.lo32 == 1387172320) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387171949) action ALLOW; if ($a0.lo32 == 1387172292) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172023) action ALLOW; if ($a0.lo32 == 1387172234) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172265) action ALLOW; if ($a0.lo32 == 1387172160) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172199) action ALLOW; if ($a0.lo32 == 1387172088) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172126) action ALLOW; if ($a0.lo32 == 1387171949) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387172363) action ALLOW; # filter for syscall "openat" (257) [priority: 65477] if ($syscall == 257) if ($a2.hi32 & 0xffffffff == 0) if ($a2.lo32 & 0xfff5f6ff == 0) action ERRNO(13); if ($a0.hi32 == 4294967295) if ($a0.lo32 == 4294967196) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387173457) if ($a2.hi32 == 0) if ($a2.lo32 == 591872) action ALLOW; if ($a0.hi32 == 0) if ($a0.lo32 == 4294967196) if ($a1.hi32 == 31462) if ($a1.lo32 == 1387173434) action ALLOW; if ($a1.lo32 == 1387173389) action ALLOW; if ($a1.lo32 == 1387173346) action ALLOW; if ($a1.lo32 == 1387173308) action ALLOW; if ($a1.lo32 == 1387173295) action ALLOW; if ($a1.lo32 == 1387173282) action ALLOW; if ($a1.lo32 == 1387173270) action ALLOW; if ($a1.lo32 == 1387173259) action ALLOW; if ($a1.lo32 == 1387173245) action ALLOW; if ($a1.lo32 == 1387173228) action ALLOW; if ($a1.lo32 == 1387173213) action ALLOW; if ($a1.lo32 == 1387173179) action ALLOW; if ($a1.lo32 == 1387173148) action ALLOW; if ($a1.lo32 == 1387173113) action ALLOW; if ($a1.lo32 == 1387173078) action ALLOW; if ($a1.lo32 == 1387173039) action ALLOW; if ($a1.lo32 == 1387173000) action ALLOW; if ($a1.lo32 == 1387172957) action ALLOW; if ($a1.lo32 == 1387172908) action ALLOW; if ($a1.lo32 == 1387172855) action ALLOW; if ($a1.lo32 == 1387172810) action ALLOW; if ($a1.lo32 == 1387172761) action ALLOW; if ($a1.lo32 == 1387172721) action ALLOW; if ($a1.lo32 == 1387172685) action ALLOW; if ($a1.lo32 == 1387172645) action ALLOW; if ($a1.lo32 == 1387172601) action ALLOW; if ($a1.lo32 == 1387172560) action ALLOW; if ($a1.lo32 == 1387172523) action ALLOW; if ($a1.lo32 == 1387172482) action ALLOW; if ($a1.lo32 == 1387172437) action ALLOW; if ($a1.lo32 == 1387172398) action ALLOW; if ($a1.lo32 == 1387172363) action ALLOW; if ($a1.lo32 == 1387172320) action ALLOW; if ($a1.lo32 == 1387172292) action ALLOW; if ($a1.lo32 == 1387172265) action ALLOW; if ($a1.lo32 == 1387172234) action ALLOW; if ($a1.lo32 == 1387172199) action ALLOW; if ($a1.lo32 == 1387172160) action ALLOW; if ($a1.lo32 == 1387172126) action ALLOW; if ($a1.lo32 == 1387172088) action ALLOW; if ($a1.lo32 == 1387172070) action ALLOW; if ($a1.lo32 == 1387172023) action ALLOW; if ($a1.lo32 == 1387171949) action ALLOW; if ($a1.lo32 == 1387171940) action ALLOW; if ($a1.lo32 == 1387171912) action ALLOW; if ($a1.lo32 == 1387171866) action ALLOW; if ($a1.lo32 == 1387171857) action ALLOW; # default action action TRAP; # invalid architecture action action KILL; # # pseudo filter code end #