I am trying to create an exception for the following rule trigger where some of the fields are null. I want to disregard the alert if k8s.pod.name = null and some other conditions are true. I have tried several different conditions without success (not exists and != '""').
Given other issues here regarding the null value, I have thought about whether k8s.pod.name shouldn't be null in the first place. But I only see the fields as null with this specific proc.cmdline, so I'm assuming this is expected.
Here is the stdout from Falco.
{
"hostname": "[...]",
"output_fields": {
"container.id": "[...]",
"container.image.repository": null,
"container.image.tag": null,
"container.name": null,
"evt.time.iso8601": 1734653069292140901,
"evt.type": "connect",
"fd.l4proto": "udp",
"fd.lport": 443,
"fd.name": "[...]",
"fd.rport": 54126,
"fd.type": "ipv4",
"k8s.ns.name": null,
"k8s.pod.name": null,
"proc.cmdline": "python3 /image/hello/../world.py --some-args [...]",
"proc.exepath": "",
"proc.name": "python3",
"proc.pname": null,
"proc.tty": 0,
"user.loginuid": -1,
"user.name": "foo",
"user.uid": 1000
},
"priority": "Notice",
"rule": "Unexpected UDP Traffic",
"source": "syscall",
"tags": ["..."],
"time": "2024-12-20T00:04:29.292140901Z"
}I tried both not exists and != '""'. I used both the condition syntax and the exception syntax. Example:
- rule: Unexpected UDP Traffic
desc: >
Detecting UDP traffic ...
condition: >
inbound_outbound
and fd.l4proto=udp
and not expected_udp_traffic
and not container.id = host
and not (proc.args startswith /image/hello/../world.py and proc.name = python3 and user.uid = 1000 and fd.lport = 433 and not k8s.pod.name exists)and
exceptions:
- name: startup_exception
fields: [k8s.pod.name, proc.args, proc.name, user.uid, fd.lport]
comps: [=, startswith, =, =, =]
values:
- ['""', /image/hello/../world.py, python3, 1000, 443]I would really appreciate some guidance on how to write the filter correctly.
Thank you for all your hard work!
I am trying to create an exception for the following rule trigger where some of the fields are
null. I want to disregard the alert ifk8s.pod.name = nulland some other conditions are true. I have tried several different conditions without success (not existsand!= '""').Given other issues here regarding the
nullvalue, I have thought about whetherk8s.pod.nameshouldn't benullin the first place. But I only see the fields as null with this specificproc.cmdline, so I'm assuming this is expected.Here is the
stdoutfrom Falco.{ "hostname": "[...]", "output_fields": { "container.id": "[...]", "container.image.repository": null, "container.image.tag": null, "container.name": null, "evt.time.iso8601": 1734653069292140901, "evt.type": "connect", "fd.l4proto": "udp", "fd.lport": 443, "fd.name": "[...]", "fd.rport": 54126, "fd.type": "ipv4", "k8s.ns.name": null, "k8s.pod.name": null, "proc.cmdline": "python3 /image/hello/../world.py --some-args [...]", "proc.exepath": "", "proc.name": "python3", "proc.pname": null, "proc.tty": 0, "user.loginuid": -1, "user.name": "foo", "user.uid": 1000 }, "priority": "Notice", "rule": "Unexpected UDP Traffic", "source": "syscall", "tags": ["..."], "time": "2024-12-20T00:04:29.292140901Z" }I tried both
not existsand!= '""'. I used both theconditionsyntax and theexceptionsyntax. Example:and
I would really appreciate some guidance on how to write the filter correctly.
Thank you for all your hard work!