Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add required dependency flag to signature selectors #4370

Open
NDStrahilevitz opened this issue Oct 28, 2024 · 0 comments
Open

Add required dependency flag to signature selectors #4370

NDStrahilevitz opened this issue Oct 28, 2024 · 0 comments

Comments

@NDStrahilevitz
Copy link
Collaborator

NDStrahilevitz commented Oct 28, 2024

Requirement

Signature event selectors currently serve de-facto as a "event dependency" mechanism similar to the one in the event definitions. There is a need to allow signatures to define selectors which do not automatically load the selected event (for example signatures which consume various optional signatures).

Solution

Option 1 - Discarded

Event dependencies have a required flag which indicates wether tracee should fail when the event is not available. A similar flag can be used here. In the context of signatures this will indicate that the signature can function without input from the selected event.

Option 2 - Selector Semantics Expansion

This cannot use the same semantics as required because required implies the necessary loading of the dependent. The semantics implied by this requirements are a "class of events which stream", somewhat similar to the selector semantics already existing. This implies to me that selector semantics should be expanded and fit for use also in derived events.

For example in our known case the particular selector required is "severity". This implies that selectors should in a sense just be context filters...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants