-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add system call event field for fd.rip_rport and fd.sip_sport #1981
Comments
Big plus one -- funny was thinking about it the past days as I was working on some other stuff, telepathy? So definitely supportive! Question, would you want to give it a try or would you appreciate one of us taking it on? |
Hi - I would appreciate someone else looking at it as I am a little bit stretched for time at the moment. But it would be good if someone can tag me on the PRs so I can learn how to propose/make those changes next time. |
/assign /milestone 0.18.0 |
Actually @leogr since we plan to add a new operator called [What I am not clear of yet is how the casting of the ip to string will work or if the operator applies after the field was casted to a string like in the case of |
I think it's a slightly different use case - maybe it's the same . Example: Join([fd.rip, fd.rport], ":"]) in ("8.8.8.8:53","4.4.4.4:53") |
Missed to answer. Yes it would be an extension to allowing In the world of Spark there is for example https://spark.apache.org/docs/3.1.3/api/python/reference/api/pyspark.sql.functions.concat_ws.html Btw I personally would like |
When in the context of arrays in programming languages, it is common (at least for me) to use |
ACK, yeah as always it depends. New Proposal: Introduce 2 new operators
[nit] Maybe given above always have the Posting this idea here, but we should update the other issue and possibly create a new one for the concat use cases, assuming we wanted to go down that route. |
I like this proposal! Suggestions:
|
I'll offer some feedback here - if you are going to allow a fixed number of fields (2) to be concatenated then it's probably OK for the delimiter to go last. If you plan to allow an unlimited number of values to be concatenated, it might be best first, because it might become hard to read and interpret if it was last. |
+1 that's why many frameworks have it first and yes we should allow any number of fields so it's the most flexible interface. @leogr ok yes let's do |
Ok. I will update Meanwhile, I was thinking about an alternative way of implementing |
Nice, I would like to have both. Question: Can we support all use cases with an overloaded |
I like your latest suggestion @leogr - that is very flexible and I can see that easily supporting a number of use-cases. Either or both are good with me! |
Thanks @an1245 for posting 🙃 Great, @leogr yes everyone likes your suggestion. If we can also support the other version with a delimiter arg it would be nice, but likely we can all also just live with the solution you proposed. Thanks. |
/milestone 0.20.0 |
/milestone 0.21.0 |
Motivation
MISP server distributes some IP/port indicators using a category/type called ip-dst|port and ip-src|port - this is a combined field of IP:port (example: 8.8.8.8:53)
If we had a Falco field named fd.rip_rport and fd.sip_sport, I would be able to bring those indicators into a Falco list as a IP:Port pair (ex. items: ["8.8.8.8:53"] which would make it much cleaner than having to write a single rule for each - eg. fd.rip=IP and fd.rport=port
Feature
Please can we add a Falco field for fd.rip_rport and fd.sip_sport which is a combined IP:port pair.
Additional context
reference: https://github.com/an1245/falco-misp-connector
The text was updated successfully, but these errors were encountered: