From d80d7ee7f3902f21b0de08d3eb1f24ce8f627c2d Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Wed, 15 Jan 2025 18:00:42 +0100 Subject: [PATCH 1/5] update(content): rework "condition syntax" section and add `len()` Signed-off-by: Leonardo Grasso --- content/en/docs/concepts/rules/conditions.md | 131 +++++++++++-------- 1 file changed, 73 insertions(+), 58 deletions(-) diff --git a/content/en/docs/concepts/rules/conditions.md b/content/en/docs/concepts/rules/conditions.md index 727660601..9fd09008e 100644 --- a/content/en/docs/concepts/rules/conditions.md +++ b/content/en/docs/concepts/rules/conditions.md @@ -7,101 +7,116 @@ aliases: - ../../rules/conditions --- -A condition is a boolean expression related to a single event that has been {{< glossary_tooltip text="detected" term_id="detection" >}} by Falco. You can use {{< glossary_tooltip text="fields" term_id="fields" >}} related to every supported event, but this document focuses on {{< glossary_tooltip text="syscalls" term_id="syscalls" >}} as they're currently the most common. The language supports boolean operators and parentheses as you'd expect. For example a condition like: +A Falco rule’s condition defines the filter that determines which events are {{< glossary_tooltip text="detected" term_id="detection" >}} by the rule. This condition is a boolean expression that evaluates to _true_ or _false_ for each event. If it evaluates to _true_, the rule triggers and generates an {{< glossary_tooltip text="alert" term_id="alerts" >}}. + +A condition can be viewed as a sequence of comparisons, each joined by [logical operators](#logical-operators). Parentheses can be used to define precedence. Each comparison uses a [comparison operator](#comparison-operators) between a field (on the left side), extracted from the input event, and a static or computed value (on the right side). You can also apply [transformers](#transformers) to the field to modify its extracted values before comparison. + +The set of {{< glossary_tooltip text="fields" term_id="fields" >}} available depends on the data source. For simplicity, this page focuses on {{< glossary_tooltip text="syscalls" term_id="syscalls" >}}, as they are among the most common. + +For example, the following condition triggers for each execution of `cat` or `grep`: ``` evt.type = execve and evt.dir = < and (proc.name = cat or proc.name = grep) ``` -This will trigger for each execution of `cat` or `grep`. Below you can take a closer look at what is the meaning of those fields such as `evt.dir`, how to discover the types of events available, and which fields are present with which event type. +## Operators -## Syscall event types, direction and args +You can use the below operators in Falco rule conditions. -Every syscall event will present the [`evt` field class](/docs/rules/supported-fields/#field-class-evt). Each condition that you write for those events will normally start with a `evt.type` expression or macro; this makes a lot of sense since security rules normally consider one syscall type at a time. For instance, you may want to consider `open` or `openat` to catch suspicious activity when opening files, `execve` to inspect spawned processes, and so forth. You don't have to guess the syscall name, as you can see the complete [list of supported system calls events](/docs/rules/supported-events) and understand which ones you can use. +### Logical operators -Every syscall has an entry event and an exit event which is shown in the `evt.dir` field, also known as the "direction" of the system call. A value of `>` indicates entry, which fires when the syscall is invoked, while `<` marks exit, meaning that the call has returned. In fact, by looking at the supported system call list you can see that our events have both entries. For example: +Operators | Description +:---------|:----------- +`and` | Logical AND operator to connect two or more comparisons (ie. `evt.type = open and fd.typechar='f'`). +`or` | Logical OR operator to connect two or more comparisons (ie. `proc.name = bash or proc.name = zsh`). +`not` | Logical NOT operator to negate a comparison (ie. `not proc.name = bash`). -``` -> setuid(UID uid) -< setuid(ERRNO res) -``` +### Comparison operators -Most of the time the engine informs you about exit events as you want to understand what happened after the event execution is complete. You can see by using the events associated with opening files. +Operators | Description +:---------|:----------- +`=`, `!=` | Equality and inequality operators. +`<=`, `<`, `>=`, `>` | Comparison operators for numeric values. +`contains`, `icontains` | For strings, these evaluate to true if a string contains another. `icontains` is case-insensitive. For flags, `contains` evaluates to true if the specified flag is set. For example: `proc.cmdline contains "-jar"`, `evt.arg.flags contains O_TRUNC`. +`startswith`, `endswith` | Checks the prefix or suffix of strings. +`glob` | Evaluates standard glob patterns. Example: `fd.name glob "/home/*/.ssh/*"`. +`in` | Evaluates whether the first set is completely contained in the second set. Example: `(b,c,d) in (a,b,c)` is `FALSE` because `d` is not found in `(a,b,c)`. +`intersects` | Evaluates whether the first set has at least one element in common with the second set. Example: `(b,c,d) intersects (a,b,c)` is `TRUE` because both sets contain `b` and `c`. +`pmatch` | Compares a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` evaluates to true for `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. +`exists` | Checks whether a field is set. Example: `k8s.pod.name exists`. +`bcontains`, `bstartswith` | Work similarly to `contains` and `startswith` but allow byte matching against a raw string of bytes, taking a hexadecimal string as input. Examples: `evt.buffer bcontains CAFEBABE`, `evt.buffer bstartswith 012AB3CC`. +`regex` | Checks whether a string field matches a [Google RE2](https://github.com/google/re2/wiki/Syntax)-compatible regular expression. Note that `regex` can be considerably slower than simpler string operations. Example: `fd.name regex '[a-z]*/proc/[0-9]+/cmdline'`. -``` -> open() -< open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode, UINT32 dev) -> openat() -< openat(FD fd, FD dirfd, FSRELPATH name, FLAGS32 flags, UINT32 mode, UINT32 dev) -``` +## Transformers -As you can see, each event has a list of arguments associated with it that you can access by using `evt.arg.`. For example, to identify when a process opens a file to overwrite it, you need to check if the list of flags contains `O_TRUNC`. You can use the `evt.arg.flags` field of the `open` and `openat` exit events shown above and the rule will then look like this: +Falco supports basic transformations on fields within rule conditions. For instance, if you want to check for a case-insensitive process name, you can use: ``` -evt.type in (open, openat) and evt.dir = < and evt.arg.flags contains O_TRUNC +tolower(proc.name) = bash ``` -Note that the arguments do not necessarily match the raw parameters that are used in the Linux kernel, but are parsed by Falco to make it easier to write rules. By using the [`evt` fields](/docs/rules/supported-fields/#field-class-evt) we can inspect many more aspects that are common across events. - -## Syscall event context and metadata +The following transform operators are supported: -While the `evt` fields allow you to write pretty expressive conditions, arguments and common fields are usually not enough to write full security rules. Many times you want to add conditions based on the process context the event happens in, or whether or not something is happening inside a container or even correlate each event with the relevant Kubernetes metadata for the cluster, pods, and more. For this reason, Falco enriches many events with [other field classes](/docs/rules/supported-fields). Not all the classes are available for all the events and the list can grow. The documentation for each clarifies when those are expected to be available, but some are so common that you often rely on them. +Transformer | Description +:--------|:----------- +`tolower()` | Converts the input field to lowercase. +`toupper()` | Converts the input field to uppercase. +`b64()` | Decodes the input field from [Base64](https://en.wikipedia.org/wiki/Base64). +`basename()` | Extracts the filename without its directory path from the input field. Unlike the Unix `basename` program, `basename()` in Falco returns `""` if no filename is present. For example, `basename(proc.exepath)` is `"cat"` for `/usr/bin/cat` but `""` for `/usr/bin/`. +`len()` | Returns the length of the field: for LIST fields, the number of elements; for CHARBUF fields, the number of characters; and for BYTEBUF fields, the number of bytes. -The [`proc` field class](/docs/rules/supported-fields/#field-class-process) gives you the context about the process and thread that is generating a specific syscall. This information is usually very important. The most basic piece of information you can get out of it is `proc.name` and `proc.pid`, but you can even traverse the process hierarchy by using `proc.aname[]` and `proc.apid[]`. Likewise, you may be interested in which user performs a specific action via the `user` field class. +### Field evaluation (for right-hand side of comparisons) -The documentation gives you an example of how to catch executions of `bash` within containers: +Falco also lets you compare field values with other field values by using the `val()` special transformer on the right-hand side of a comparison. For instance, to detect processes that have the same name as their parent: ``` -evt.type = execve and evt.dir = < and container.id != host and proc.name = bash +proc.name = val(proc.pname) ``` -Note that you don't even have to look at the `execve` args. That is because once `execve` has returned the process context recorded by Falco is updated, meaning that the `proc.` fields will already refer to all information, including the command line, executable, arguments, related to the new process that was just spawned. - -## Transform operators - -Since Falco 0.38.0 you can perform basic transformation on fields in your rule condition. For instance, if you wish to check for a case insensitive process name you can write +Similarly, using transformations on both sides is supported: ``` -tolower(proc.name) = bash +tolower(proc.name) = tolower(proc.pname) ``` -The following transform operators are supported: +## Syscall event types, direction, and args -Operator | Description -:--------|:----------- -`tolower()` | Converts the input field to lower case -`toupper()` | Converts the input field to upper case -`b64()` | Decodes the input field from [Base64](https://en.wikipedia.org/wiki/Base64) -`basename()` | Extracts the base name, i.e. the filename without directory, of the input field. Note that the behavior of `basename()` in Falco is slightly different from the Unix `basename` program. For instance, `basename(proc.exepath)` will evaluate to `"cat"` for `/usr/bin/cat` but will evaluate to an empty string (`""`) for `/usr/bin/`. +Every syscall event includes the [`evt` field class](/docs/reference/rules/supported-fields/#field-class-evt). Each condition you write for these events typically begins with an `evt.type` expression or macro. This is practical because security rules often focus on one syscall type at a time. For instance, you might consider `open` or `openat` to detect suspicious activity when files are opened, or `execve` to inspect newly spawned processes. You do not have to guess the syscall name—simply refer to the complete [list of supported system call events](/docs/reference/rules/supported-fields/) for an overview of what you can use. -## Field evaluation operator +Each syscall has an entry event and an exit event, tracked by the `evt.dir` field, also referred to as the "direction" of the system call. A value of `>` indicates entry (when the syscall is invoked), while `<` marks exit (when the call has returned). By looking at the supported system call list, you will see that events have both entry and exit forms. For example: -Since Falco 0.38.0 you can also compare field values with other field values by using the `val()` operator on the right hand side of the expression. For instance, in order to write a condition that checks for processes that have the same name as their parent you can write +``` +> setuid(UID uid) +< setuid(ERRNO res) +``` + +In many cases, it is most useful to filter on exit events, because you want to know the outcome of the syscall once it has completed. For example, consider the file-opening events: ``` -proc.name = val(proc.pname) +> open() +< open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode, UINT32 dev) +> openat() +< openat(FD fd, FD dirfd, FSRELPATH name, FLAGS32 flags, UINT32 mode, UINT32 dev) ``` -Alternatively, using transformes on both sides of the comparison operator is also supported: +Each event has a list of arguments that you can access through `evt.arg.`. For instance, if you want to detect a process opening a file to overwrite it, check if the list of flags contains `O_TRUNC`: ``` -tolower(proc.name) = tolower(proc.pname) +evt.type in (open, openat) and evt.dir = < and evt.arg.flags contains O_TRUNC ``` -## Operators +Note that arguments do not necessarily match the raw parameters used in the Linux kernel; Falco may parse them in ways that make rule-writing more straightforward. By using the [`evt` fields](/docs/rules/supported-fields/#field-class-evt), you can inspect many other aspects common across different events. -You can use the following operators in conditions: +## Syscall event context and metadata -Operators | Description -:---------|:----------- -`=`, `!=` | Equality and inequality operators. -`<=`, `<`, `>=`, `>` | Comparison operators for numeric values. -`contains`, `icontains` | For strings will evaluate to true if a string contains another, and `icontains` is the case insensitive version. For flags it will evaluate to true if the flag is set. Examples: `proc.cmdline contains "-jar"`, `evt.arg.flags contains O_TRUNC`. -`startswith`, `endswith` | Check prefix or suffix of strings. -`glob` | Evaluate standard glob patterns. Example: `fd.name glob "/home/*/.ssh/*"`. -`in` | Evaluate if the provided set (could have just one element) is completely contained in another set. Example: `(b,c,d) in (a,b,c)` will evaluate `FALSE` since `d` is not contained in the compared set `(a,b,c)`. -`intersects` | Evaluate if the provided set (could have just one element) has at least one element in common with another set. Example: `(b,c,d) intersects (a,b,c)` will evaluate `TRUE` since both sets contain `b` and `c`. -`pmatch` | Compare a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` will evaluate to true against `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. -`exists` | Check if a field is set. Example: `k8s.pod.name exists`. -`bcontains`, `bstartswith` | These operators work similarly to `contains` and `startswith` and allow performing byte matching against a raw string of bytes, accepting as input a hexadecimal string. Examples: `evt.buffer bcontains CAFEBABE`, `evt.buffer bstartswith 012AB3CC`. -`regex` | Check if a string field matches a regular expression. Please note that the `regex` operator is considerably slower (up to an order of magnitude) than the above operators that work with strings, which are highly recommended for simple comparisons. The supported regex flavor is from the [Google RE2](https://github.com/google/re2/wiki/Syntax) library. Example: `fd.name regex '[a-z]*/proc/[0-9]+/cmdline'`. +While the `evt` fields allow you to write expressive conditions, arguments and common fields alone are often insufficient for complete security rules. You might also need to consider the process context in which the event occurred, whether or not it happened inside a container, or how it correlates with Kubernetes metadata. To enable this, Falco enriches many events with [additional field classes](/docs/rules/supported-fields). Not all field classes are available for all events, and the list grows over time. Each field class’s documentation clarifies when those fields are expected to be present, but some are so common that rules often rely on them. + +The [`proc` field class](/docs/rules/supported-fields/#field-class-process) gives you context about the process and thread generating a specific syscall. This information is frequently very important. For example, you can use `proc.name` and `proc.pid`, or even traverse the process hierarchy with `proc.aname[]` and `proc.apid[]`. You can also see which user performed the action with the `user` field class. + +An example rule that detects whenever `bash` is executed inside a container could look like this: + +``` +evt.type = execve and evt.dir = < and container.id != host and proc.name = bash +``` + +Notice that you do not need to check the `execve` arguments. Once `execve` has returned, Falco updates the process context, so all `proc.` fields refer to the new process that was just spawned, including command line, executable path, arguments, and so on. From c6b512269882aa5ee63b751c7fa00cdd4939c9e6 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Thu, 16 Jan 2025 11:17:17 +0100 Subject: [PATCH 2/5] update(content): improve comparison operators table Signed-off-by: Leonardo Grasso --- content/en/docs/concepts/rules/conditions.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/docs/concepts/rules/conditions.md b/content/en/docs/concepts/rules/conditions.md index 9fd09008e..1dd2edd7a 100644 --- a/content/en/docs/concepts/rules/conditions.md +++ b/content/en/docs/concepts/rules/conditions.md @@ -37,15 +37,15 @@ Operators | Description :---------|:----------- `=`, `!=` | Equality and inequality operators. `<=`, `<`, `>=`, `>` | Comparison operators for numeric values. -`contains`, `icontains` | For strings, these evaluate to true if a string contains another. `icontains` is case-insensitive. For flags, `contains` evaluates to true if the specified flag is set. For example: `proc.cmdline contains "-jar"`, `evt.arg.flags contains O_TRUNC`. -`startswith`, `endswith` | Checks the prefix or suffix of strings. +`contains`, `bcontains`, `icontains` | Strings are evaluated to be true if a string contains another. For flags, `contains` evaluates to true if the specified flag is set. For example: `proc.cmdline contains "-jar"`, `evt.arg.flags contains O_TRUNC`. The `icontains` variant works similarly but is case-insensitive. The `bcontains` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bcontains CAFEBABE` +`endswith` | Checks if a string start with a given suffix. +`exists` | Checks whether a field is set. Example: `k8s.pod.name exists`. `glob` | Evaluates standard glob patterns. Example: `fd.name glob "/home/*/.ssh/*"`. `in` | Evaluates whether the first set is completely contained in the second set. Example: `(b,c,d) in (a,b,c)` is `FALSE` because `d` is not found in `(a,b,c)`. `intersects` | Evaluates whether the first set has at least one element in common with the second set. Example: `(b,c,d) intersects (a,b,c)` is `TRUE` because both sets contain `b` and `c`. `pmatch` | Compares a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` evaluates to true for `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. -`exists` | Checks whether a field is set. Example: `k8s.pod.name exists`. -`bcontains`, `bstartswith` | Work similarly to `contains` and `startswith` but allow byte matching against a raw string of bytes, taking a hexadecimal string as input. Examples: `evt.buffer bcontains CAFEBABE`, `evt.buffer bstartswith 012AB3CC`. `regex` | Checks whether a string field matches a [Google RE2](https://github.com/google/re2/wiki/Syntax)-compatible regular expression. Note that `regex` can be considerably slower than simpler string operations. Example: `fd.name regex '[a-z]*/proc/[0-9]+/cmdline'`. +`startswith` | Checks if a string ends with a given prefix. The `bstartswith` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bstartswith 012AB3CC`. ## Transformers From 0956f47d5f5275406b182bc736ff6e81c7dae491 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Thu, 16 Jan 2025 11:26:39 +0100 Subject: [PATCH 3/5] update(content): move and rework pmatch into condition syntax section Signed-off-by: Leonardo Grasso --- content/en/docs/concepts/rules/conditions.md | 21 ++++++++- .../en/docs/concepts/rules/pmatch-operator.md | 44 ------------------- 2 files changed, 20 insertions(+), 45 deletions(-) delete mode 100644 content/en/docs/concepts/rules/pmatch-operator.md diff --git a/content/en/docs/concepts/rules/conditions.md b/content/en/docs/concepts/rules/conditions.md index 1dd2edd7a..cbb007ff1 100644 --- a/content/en/docs/concepts/rules/conditions.md +++ b/content/en/docs/concepts/rules/conditions.md @@ -5,6 +5,7 @@ linktitle: Condition Syntax weight: 40 aliases: - ../../rules/conditions +- ../../rules/pmatch-operator --- A Falco rule’s condition defines the filter that determines which events are {{< glossary_tooltip text="detected" term_id="detection" >}} by the rule. This condition is a boolean expression that evaluates to _true_ or _false_ for each event. If it evaluates to _true_, the rule triggers and generates an {{< glossary_tooltip text="alert" term_id="alerts" >}}. @@ -43,10 +44,28 @@ Operators | Description `glob` | Evaluates standard glob patterns. Example: `fd.name glob "/home/*/.ssh/*"`. `in` | Evaluates whether the first set is completely contained in the second set. Example: `(b,c,d) in (a,b,c)` is `FALSE` because `d` is not found in `(a,b,c)`. `intersects` | Evaluates whether the first set has at least one element in common with the second set. Example: `(b,c,d) intersects (a,b,c)` is `TRUE` because both sets contain `b` and `c`. -`pmatch` | Compares a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` evaluates to true for `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. +`pmatch` | Compares a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` evaluates to true for `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. More details in the [below section](#pmatch-operator). `regex` | Checks whether a string field matches a [Google RE2](https://github.com/google/re2/wiki/Syntax)-compatible regular expression. Note that `regex` can be considerably slower than simpler string operations. Example: `fd.name regex '[a-z]*/proc/[0-9]+/cmdline'`. `startswith` | Checks if a string ends with a given prefix. The `bstartswith` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bstartswith 012AB3CC`. +#### `pmatch` operator + +`pmatch` checks if any given path prefix matches a filesystem path in Falco fields like `fd.name`, `evt.rawarg.path`, or `fs.path.name`. For example: + +``` +fd.name pmatch (/var/run, /var/spool, /etc, /boot) +``` + +If `fd.name` is `/var/spool/maillog`, this expression is true; if it is `/opt/data/file.txt`, it is false. Internally, `pmatch` builds a tree-like structure from the right-hand side paths and traverses it with the left-hand side path components, returning true at the first matching leaf. + +`pmatch` can also include glob wildcards: + +``` +fd.name pmatch (/var/*/*.txt, /etc, /boot) +``` + +This still performs a prefix match. Unlike `glob`, which must fully match the path, `pmatch` succeeds if the path starts with one of the specified prefixes. Hence, `fd.name pmatch (/var/*)` matches `/var/run/file.txt`, while `fd.name glob /var/*` does not. Wildcards do not cross directory separators (see [glob.7](https://man7.org/linux/man-pages/man7/glob.7.html)). + ## Transformers Falco supports basic transformations on fields within rule conditions. For instance, if you want to check for a case-insensitive process name, you can use: diff --git a/content/en/docs/concepts/rules/pmatch-operator.md b/content/en/docs/concepts/rules/pmatch-operator.md deleted file mode 100644 index a5f3d998a..000000000 --- a/content/en/docs/concepts/rules/pmatch-operator.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Using the pmatch Operator to Match File System Paths -description: How the pmatch Operator Works -linktitle: Using pmatch Operator -weight: 100 -aliases: -- ../../rules/pmatch-operator ---- - -## Introduction - -This section provides more detail on the `pmatch` (prefix match) [operator](/docs/rules/conditions/#operators). - -### How `pmatch` Works - -The `pmatch` operator matches a left hand side filesystem path that is the value for a given falco field like `fd.name`, `evt.rawarg.path`, `fs.path.name`, etc. against a set of right hand side filesystem path prefixes. It returns true if any of the right hand side paths is a prefix of the left hand side path. Here's an example: - -``` -fd.name pmatch (/var/run, /var/spool, /etc, /boot) -``` - -If the value for `fd.name` were `/var/spool/maillog`, this expression would evaluate to true. If the value for `fd.name` were `/opt/data/file.txt`, this expression would evaluate to false. - -Functionally, it is equivalent to the following: - -``` -fd.name startswith /var/run or fd.name startswith /var/spool or fd.name startswith /etc or fd.name startswith /boot -``` - -However, using `pmatch` allows the comparison to be done in parallel, against all prefixes at once, instead of individually. - -The implementation of `pmatch` builds a tree-like data structure using all the right hand side paths, broken on directory separators, and then traverses the tree using the path components from the left hand side path. If the traversal gets to a leaf node in the tree, it evaluates to true. - -#### `pmatch` Can Contain Globs - -As of Falco 0.36, the right hand paths used by `pmatch` can contain glob wildcards. Here's an example: - -``` -fd.name pmatch (/var/*/*.txt, /etc, /boot) -``` - -This expression would evaluate to true for `/var/spool/log.txt` as well as `/var/run/file.txt`. - -This matching differs from the `glob` operator as `glob` requires the left hand side to fully match the glob, while `pmatch` still allows for a prefix match. So for an expression like `fd.name pmatch (/var/*)` vs `fd.name glob /var/*` and when fd.name has the value `/var/run/file.txt`, the pmatch expression would evaluate to true while the glob expression would not. When glob is evaluated against a path, wildcards don't cross directory separators. See the sentence "Globbing is applied on each of the components of a pathname separately." at the [man page](https://man7.org/linux/man-pages/man7/glob.7.html) for glob. From 53375dd8a897c8f569e7bbede9977c8e8a42f8df Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Thu, 16 Jan 2025 13:18:03 +0100 Subject: [PATCH 4/5] fix(content): missing `bstartwith` in comparison operators table Co-authored-by: Thomas Labarussias Signed-off-by: Leonardo Grasso --- content/en/docs/concepts/rules/conditions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/rules/conditions.md b/content/en/docs/concepts/rules/conditions.md index cbb007ff1..3b01715c8 100644 --- a/content/en/docs/concepts/rules/conditions.md +++ b/content/en/docs/concepts/rules/conditions.md @@ -46,7 +46,7 @@ Operators | Description `intersects` | Evaluates whether the first set has at least one element in common with the second set. Example: `(b,c,d) intersects (a,b,c)` is `TRUE` because both sets contain `b` and `c`. `pmatch` | Compares a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` evaluates to true for `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. More details in the [below section](#pmatch-operator). `regex` | Checks whether a string field matches a [Google RE2](https://github.com/google/re2/wiki/Syntax)-compatible regular expression. Note that `regex` can be considerably slower than simpler string operations. Example: `fd.name regex '[a-z]*/proc/[0-9]+/cmdline'`. -`startswith` | Checks if a string ends with a given prefix. The `bstartswith` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bstartswith 012AB3CC`. +`startswith`, `bstartswith` | Checks if a string ends with a given prefix. The `bstartswith` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bstartswith 012AB3CC`. #### `pmatch` operator From e59fd219d7bb5afe008738198db0b10088a762cc Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Fri, 17 Jan 2025 13:19:12 +0100 Subject: [PATCH 5/5] fix(content): correct errors in "condition syntax" page Co-authored-by: Luca Guerra Signed-off-by: Leonardo Grasso --- content/en/docs/concepts/rules/conditions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/concepts/rules/conditions.md b/content/en/docs/concepts/rules/conditions.md index 3b01715c8..bbd572a28 100644 --- a/content/en/docs/concepts/rules/conditions.md +++ b/content/en/docs/concepts/rules/conditions.md @@ -39,14 +39,14 @@ Operators | Description `=`, `!=` | Equality and inequality operators. `<=`, `<`, `>=`, `>` | Comparison operators for numeric values. `contains`, `bcontains`, `icontains` | Strings are evaluated to be true if a string contains another. For flags, `contains` evaluates to true if the specified flag is set. For example: `proc.cmdline contains "-jar"`, `evt.arg.flags contains O_TRUNC`. The `icontains` variant works similarly but is case-insensitive. The `bcontains` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bcontains CAFEBABE` -`endswith` | Checks if a string start with a given suffix. +`endswith` | Checks if a string ends with a given suffix. `exists` | Checks whether a field is set. Example: `k8s.pod.name exists`. `glob` | Evaluates standard glob patterns. Example: `fd.name glob "/home/*/.ssh/*"`. `in` | Evaluates whether the first set is completely contained in the second set. Example: `(b,c,d) in (a,b,c)` is `FALSE` because `d` is not found in `(a,b,c)`. `intersects` | Evaluates whether the first set has at least one element in common with the second set. Example: `(b,c,d) intersects (a,b,c)` is `TRUE` because both sets contain `b` and `c`. `pmatch` | Compares a file path against a set of file or directory prefixes. Example: `fd.name pmatch (/tmp/hello)` evaluates to true for `/tmp/hello`, `/tmp/hello/world` but not `/tmp/hello_world`. More details in the [below section](#pmatch-operator). `regex` | Checks whether a string field matches a [Google RE2](https://github.com/google/re2/wiki/Syntax)-compatible regular expression. Note that `regex` can be considerably slower than simpler string operations. Example: `fd.name regex '[a-z]*/proc/[0-9]+/cmdline'`. -`startswith`, `bstartswith` | Checks if a string ends with a given prefix. The `bstartswith` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bstartswith 012AB3CC`. +`startswith`, `bstartswith` | Checks if a string starts with a given prefix. The `bstartswith` variant allows byte matching against a raw string of bytes, taking a hexadecimal string as input. For example: `evt.buffer bstartswith 012AB3CC`. #### `pmatch` operator