Added regex prefiltering to watch_ebpf()

go.mod

@@ -111,7 +111,7 @@ require (
 	github.com/Velocidex/grok v0.0.1
 	github.com/Velocidex/ordereddict v0.0.0-20250821063524-02dc06e46238
 	github.com/Velocidex/sigma-go v0.0.0-20241113062227-c1c5ea4b5250
-	github.com/Velocidex/tracee_velociraptor v0.0.0-20250620124218-01f48d6fc3a1
+	github.com/Velocidex/tracee_velociraptor v0.0.0-20251231004915-03828c8ab890
 	github.com/Velocidex/yara-x-go v0.0.0-20251010010632-d8eaad9c539c
 	github.com/VirusTotal/gyp v0.9.1-0.20231202132633-bb35dbf177a6
 	github.com/alecthomas/kingpin/v2 v2.4.0
@@ -211,7 +211,7 @@ require (
 	github.com/charmbracelet/x/ansi v0.5.2 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20241209212528-0eec74ecaa6f // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/cilium/ebpf v0.18.0 // indirect
+	github.com/cilium/ebpf v0.20.0 // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
@@ -346,6 +346,7 @@ require (
 // replace github.com/Velocidex/WinPmem/go-winpmem => ../WinPmem/go-winpmem
 // replace github.com/Velocidex/sigma-go => ../sigma-go
 // replace github.com/Velocidex/tracee_velociraptor => ../tracee_velociraptor
+
 // replace github.com/Velocidex/fileb0x => ../fileb0x
 // replace github.com/Velocidex/go-ext4 => ../go-ext4
 // replace github.com/Velocidex/amsi => ../amsi

go.sum

@@ -124,8 +124,8 @@ github.com/Velocidex/sflags v0.3.1-0.20241126160332-cc1a5b66b8f1 h1:fLJ2AjY0dtDZ
 github.com/Velocidex/sflags v0.3.1-0.20241126160332-cc1a5b66b8f1/go.mod h1:UpFVihkMZWl2JRkVRiZYie0e2l7Ry+vjlCHCs6XVKGU=
 github.com/Velocidex/sigma-go v0.0.0-20241113062227-c1c5ea4b5250 h1:GhiTVVoHNhb0mzUDgieUwjfJeEaUHCHIVvV/mHzLQOI=
 github.com/Velocidex/sigma-go v0.0.0-20241113062227-c1c5ea4b5250/go.mod h1:ukLFs2t1+ud7MC4oN+zImhtTRP/eQHaDL3TwLs58uUA=
-github.com/Velocidex/tracee_velociraptor v0.0.0-20250620124218-01f48d6fc3a1 h1:kFFoB6xKCLsQ2Zx8zD+WsxgNHoS1scFhVvUtZI0t+oI=
-github.com/Velocidex/tracee_velociraptor v0.0.0-20250620124218-01f48d6fc3a1/go.mod h1:75otEEJL3ILNdRfZJUTo5q2jW4Cbshz/I5BxTfTanCc=
+github.com/Velocidex/tracee_velociraptor v0.0.0-20251231004915-03828c8ab890 h1:dnjK9G2vwFnD7YnfrUzsIjH+hePNeOqv7R8CtaOUXVA=
+github.com/Velocidex/tracee_velociraptor v0.0.0-20251231004915-03828c8ab890/go.mod h1:vs7ytTzZ8msanXo4AcCmCkvvdTdpt57C9vbN1325vPE=
 github.com/Velocidex/ttlcache/v2 v2.9.1-0.20240517145123-a3f45e86e130 h1:+QujZ0D7KSy3WJVchkOhMkvAUab6/CIisO5LCoN48q4=
 github.com/Velocidex/ttlcache/v2 v2.9.1-0.20240517145123-a3f45e86e130/go.mod h1:3/pI9BBAF7gydBWvMVtV7W1qRwshEG9lBwed/d8xfFg=
 github.com/Velocidex/yaml/v2 v2.2.8 h1:GUrSy4SBJ6RjGt43k6MeBKtw2z/27gh4A3hfFmFY3No=
@@ -251,8 +251,8 @@ github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNE
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.18.0 h1:OsSwqS4y+gQHxaKgg2U/+Fev834kdnsQbtzRnbVC6Gs=
-github.com/cilium/ebpf v0.18.0/go.mod h1:vmsAT73y4lW2b4peE+qcOqw6MxvWQdC+LiU5gd/xyo4=
+github.com/cilium/ebpf v0.20.0 h1:atwWj9d3NffHyPZzVlx3hmw1on5CLe9eljR8VuHTwhM=
+github.com/cilium/ebpf v0.20.0/go.mod h1:pzLjFymM+uZPLk/IXZUL63xdx5VXEo+enTzxkZXdycw=
 github.com/clayscode/Go-Splunk-HTTP/splunk/v2 v2.0.1-0.20221027171526-76a36be4fa02 h1:GpaHYwMLoDarNxagi3vGGzPsIMhO7LHGlMn9eHVXWK4=
 github.com/clayscode/Go-Splunk-HTTP/splunk/v2 v2.0.1-0.20221027171526-76a36be4fa02/go.mod h1:HxsMAwjIrYG2Afz/JB+a4HcALVNM0zTLTO5RZnf+OS8=
 github.com/clbanning/mxj v1.8.4 h1:HuhwZtbyvyOw+3Z1AowPkU87JkJUSv751ELWaiTpj8I=

vql/linux/ebpf/ebpf.go

@@ -6,6 +6,7 @@ package ebpf
 
 import (
 	"context"
+	"regexp"
 
 	"github.com/Velocidex/ordereddict"
 	"github.com/Velocidex/tracee_velociraptor/userspace/ebpf"
@@ -22,8 +23,9 @@ var (
 )
 
 type EBPFEventPluginArgs struct {
-	EventNames []string `vfilter:"required,field=events,doc=A list of event names to acquire."`
-	IncludeEnv bool     `vfilter:"optional,field=include_env,doc=Include process environment variables."`
+	EventNames     []string `vfilter:"required,field=events,doc=A list of event names to acquire."`
+	IncludeEnv     bool     `vfilter:"optional,field=include_env,doc=Include process environment variables."`
+	RegexPrefilter string   `vfilter:"optional,field=regex_prefilter,doc=A regex that must match the raw buffer before we process it."`
 }
 
 type EBPFEventPlugin struct{}
@@ -101,7 +103,21 @@ func (self EBPFEventPlugin) Call(
 
 		}
 
-		events_chan, closer, err := gEbpfManager.Watch(ctx, selected_events)
+		opts := ebpf.EBPFWatchOptions{
+			SelectedEvents: selected_events,
+		}
+
+		if arg.RegexPrefilter != "" {
+			re, err := regexp.Compile(arg.RegexPrefilter)
+			if err != nil {
+				scope.Log("watch_ebpf: Unable to compile regex_prefilter %v", err)
+				return
+			}
+
+			opts.Prefilter = re.Match
+		}
+
+		events_chan, closer, err := gEbpfManager.Watch(ctx, opts)
 		if err != nil {
 			scope.Log("watch_ebpf: %v", err)
 			return

vql/linux/ebpf/profile.go

@@ -32,6 +32,7 @@ func WriteProfile(ctx context.Context,
 			Set("EIDMonitored", stats.EIDMonitored).
 			Set("IdleTime", idle).
 			Set("IdleUnloadTimeout", stats.IdleUnloadTimeout.String()).
+			Set("PrefilteredCount", stats.PrefilterEventCount).
 			Set("EventCount", stats.EventCount)
 	}
 }

vql/networking/spy.go

@@ -24,23 +24,20 @@ func MaybeSpyOnWSDialer(
 	config_obj *config_proto.Config,
 	dialer *websocket.Dialer) *websocket.Dialer {
 
-	mu.Lock()
-	defer mu.Unlock()
-
 	if config_obj.Client == nil ||
 		config_obj.Client.InsecureNetworkTraceFile == "" {
 		return dialer
 	}
 
-	fd := getTraceFile(config_obj)
+	fd := GetTraceFile(config_obj)
 	if fd == nil {
 		return dialer
 	}
 
 	return spyOnWSDialer(dialer, fd)
 }
 
-func getTraceFile(config_obj *config_proto.Config) *os.File {
+func GetTraceFile(config_obj *config_proto.Config) *os.File {
 	mu.Lock()
 	defer mu.Unlock()
 
@@ -110,7 +107,7 @@ func MaybeSpyOnTransport(
 		return transport
 	}
 
-	fd := getTraceFile(config_obj)
+	fd := GetTraceFile(config_obj)
 	if fd == nil {
 		return transport
 	}