Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

falco -b option affects condition evaluation on filters like evt.arg.x #3437

Open
LucaGuerra opened this issue Dec 20, 2024 · 2 comments
Open
Labels

Comments

@LucaGuerra
Copy link
Contributor

LucaGuerra commented Dec 20, 2024

Describe the bug / how to reproduce it

Technically, the -b option is used to print buffers in base64 instead of raw string. I have tried it with the following rule:

- rule: Read test
  desc: Read!
  condition: "(evt.type = read) and (evt.dir=<) and (evt.arg.data contains 'my favorite string')"
  output: Read the magic string (%evt.arg.data) from %proc.name and user %user.loginname with the following cmdline %proc.cmdline
  priority: ERROR
  tags:
    - test1
sudo docker run -v $(pwd)/rule_read.yaml:/etc/falco/falco_rules.local.yaml --name falco --rm -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco:0.39.1 falco -A -b

Then echo "my favorite string" in another terminal. Nothing appears, but if I remove the -b option from the Falco CLI it works. I suspect that the filter is also applying base64 encoding? 🤔

Expected behaviour

Rule triggers both with and without -b

Screenshots

Environment

  • Falco version: Tested with 0.38.x and 0.39.x, same behavior
  • System info:
{
  "machine": "x86_64",
  "nodename": "87501b3e2718",
  "release": "6.8.0-1015-aws",
  "sysname": "Linux",
  "version": "#16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024"
}
  • Cloud provider or hardware configuration: EC2
  • OS: Ubuntu 22.04
  • Kernel:
Linux 6.8.0-1015-aws #16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • Installation method: Docker

Additional context

@LucaGuerra
Copy link
Contributor Author

Ah, that may be because I used arg instead of rawarg, but still it feels a bit odd.

@LucaGuerra
Copy link
Contributor Author

I think it's a bug, so I opened a PR on libs to fix it.

@LucaGuerra LucaGuerra changed the title falco -b option unclear or not working falco -b option affects condition evaluation on filters like evt.arg.x Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant