Created
August 21, 2014 14:57
-
-
Save errzey/191be50d235ee01e0d1f to your computer and use it in GitHub Desktop.
sample tsauditd filter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Set(list) | |
| local set = {} | |
| for _, l in ipairs(list) do | |
| set[l] = true | |
| end | |
| return set | |
| end | |
| -- a set defining the syscalls which, if found, are processed to determine | |
| -- if we should filter or not. | |
| noisy_network_netcalls = Set{ 'connect', 'accept', 'accept4', 'recv', 'send' } | |
| -- this is a set of values of 'prot' that are accepted. If the value of | |
| -- the 'prot' key is NOT one of these, we drop it. | |
| noisy_network_protocols = Set{ 'ipv4', 'ipv6' } | |
| function filter_noisy_network(data) | |
| local firstent = data[1] | |
| if firstent['type'] == 'SOCKADDR' and not data[2] then | |
| -- An empty SOCKADDR message (no pid info or anything) | |
| return 1 | |
| end | |
| if firstent['type'] ~= 'SYSCALL' then | |
| return 0 | |
| end | |
| local syscall = firstent['syscall'] | |
| -- see if the syscall is in our set of 'filtered' syscalls | |
| if not noisy_network_netcalls[syscall] then | |
| -- the syscall did not match our filtered set, do don't filter. | |
| return 0 | |
| end | |
| local secondent = data[2] | |
| if not secondent then | |
| -- since the syscall matched our set, but there is | |
| -- not a second entry in the data, this means there is no | |
| -- actual socket information included, so just filter it. | |
| return 1 | |
| end | |
| if secondent['type'] ~= 'SOCKADDR' then | |
| -- the second entry in the data is not of a type 'SOCKADDR', | |
| -- so we shouldn't filter it. | |
| return 0 | |
| end | |
| local protocol = secondent['prot'] | |
| if not noisy_network_protocols[protocol] then | |
| -- this protocol was not found within the protocols set (ipv4 ipv6 etc) | |
| -- which means we don't want to deal with it, and is useless, so we drop. | |
| return 1 | |
| end | |
| return 0 | |
| end | |
| noisy_processes = Set{ 'whoopsie', 'irqbalance', 'top', 'dhclient3', 'VBoxService' } | |
| function filter_noisy_processes(data) | |
| local firstent = data[1] | |
| local comm = firstent['comm'] | |
| if not comm then | |
| return 0 | |
| end | |
| if noisy_processes[comm] then | |
| return 1 | |
| end | |
| return 0 | |
| end | |
| function tsaudit_filter(data) | |
| res = nil | |
| res = filter_noisy_network(data) | |
| if res ~= 0 then | |
| return res | |
| end | |
| res = filter_noisy_processes(data) | |
| if res ~= 0 then | |
| return res | |
| end | |
| return 0 | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment