You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Technically, the -b option is used to print buffers in base64 instead of raw string. I have tried it with the following rule:
- rule: Read testdesc: Read!condition: "(evt.type = read) and (evt.dir=<) and (evt.arg.data contains 'my favorite string')"output: Read the magic string (%evt.arg.data) from %proc.name and user %user.loginname with the following cmdline %proc.cmdlinepriority: ERRORtags:
- test1
Then echo "my favorite string" in another terminal. Nothing appears, but if I remove the -b option from the Falco CLI it works. I suspect that the filter is also applying base64 encoding? 🤔
Expected behaviour
Rule triggers both with and without -b
Screenshots
Environment
Falco version: Tested with 0.38.x and 0.39.x, same behavior
System info:
{
"machine": "x86_64",
"nodename": "87501b3e2718",
"release": "6.8.0-1015-aws",
"sysname": "Linux",
"version": "#16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024"
}
Cloud provider or hardware configuration: EC2
OS: Ubuntu 22.04
Kernel:
Linux 6.8.0-1015-aws #16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Installation method: Docker
Additional context
The text was updated successfully, but these errors were encountered:
I think it's a bug, so I opened a PR on libs to fix it.
LucaGuerra
changed the title
falco -b option unclear or not working
falco -b option affects condition evaluation on filters like evt.arg.x
Dec 20, 2024
Describe the bug / how to reproduce it
Technically, the
-b
option is used to print buffers in base64 instead of raw string. I have tried it with the following rule:Then
echo "my favorite string"
in another terminal. Nothing appears, but if I remove the-b
option from the Falco CLI it works. I suspect that the filter is also applying base64 encoding? 🤔Expected behaviour
Rule triggers both with and without
-b
Screenshots
Environment
Additional context
The text was updated successfully, but these errors were encountered: