# # pseudo filter code start # # filter for arch x86_64 (3221225534) if ($arch == 3221225534) # filter for syscall "exit_group" (231) [priority: 65535] if ($syscall == 231) action LOG; # filter for syscall "exit" (60) [priority: 65535] if ($syscall == 60) action TRACE(1); # filter for syscall "fstat" (5) [priority: 65535] if ($syscall == 5) action KILL_PROCESS; # filter for syscall "close" (3) [priority: 65535] if ($syscall == 3) action ERRNO(1); # filter for syscall "open" (2) [priority: 65535] if ($syscall == 2) action KILL; # filter for syscall "write" (1) [priority: 65527] if ($syscall == 1) if ($a0.hi32 == 0) if ($a0.lo32 == 0) else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; # filter for syscall "read" (0) [priority: 65525] if ($syscall == 0) if ($a0.hi32 == 0) if ($a0.lo32 == 0) if ($a1.hi32 > 0) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a1.hi32 == 0) if ($a1.lo32 >= 1) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch x86 (1073741827) if ($arch == 1073741827) # filter for syscall "exit_group" (252) [priority: 65535] if ($syscall == 252) action LOG; # filter for syscall "fstat" (108) [priority: 65535] if ($syscall == 108) action KILL_PROCESS; # filter for syscall "close" (6) [priority: 65535] if ($syscall == 6) action ERRNO(1); # filter for syscall "open" (5) [priority: 65535] if ($syscall == 5) action KILL; # filter for syscall "exit" (1) [priority: 65535] if ($syscall == 1) action TRACE(1); # filter for syscall "write" (4) [priority: 65532] if ($syscall == 4) if ($a0 == 0) else if ($a1 > 1) else if ($a2 >= 2) else action TRAP; # filter for syscall "read" (3) [priority: 65531] if ($syscall == 3) if ($a0 == 0) if ($a1 >= 1) if ($a2 > 2) if ($a3 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch x32 (3221225534) if ($arch == 3221225534) # filter for syscall "exit_group" (1073742055) [priority: 65535] if ($syscall == 1073742055) action LOG; # filter for syscall "exit" (1073741884) [priority: 65535] if ($syscall == 1073741884) action TRACE(1); # filter for syscall "fstat" (1073741829) [priority: 65535] if ($syscall == 1073741829) action KILL_PROCESS; # filter for syscall "close" (1073741827) [priority: 65535] if ($syscall == 1073741827) action ERRNO(1); # filter for syscall "open" (1073741826) [priority: 65535] if ($syscall == 1073741826) action KILL; # filter for syscall "write" (1073741825) [priority: 65532] if ($syscall == 1073741825) if ($a0 == 0) else if ($a1 > 1) else if ($a2 >= 2) else action TRAP; # filter for syscall "read" (1073741824) [priority: 65531] if ($syscall == 1073741824) if ($a0 == 0) if ($a1 >= 1) if ($a2 > 2) if ($a3 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch arm (1073741864) if ($arch == 1073741864) # filter for syscall "exit_group" (248) [priority: 65535] if ($syscall == 248) action LOG; # filter for syscall "fstat" (108) [priority: 65535] if ($syscall == 108) action KILL_PROCESS; # filter for syscall "close" (6) [priority: 65535] if ($syscall == 6) action ERRNO(1); # filter for syscall "open" (5) [priority: 65535] if ($syscall == 5) action KILL; # filter for syscall "exit" (1) [priority: 65535] if ($syscall == 1) action TRACE(1); # filter for syscall "write" (4) [priority: 65532] if ($syscall == 4) if ($a0 == 0) else if ($a1 > 1) else if ($a2 >= 2) else action TRAP; # filter for syscall "read" (3) [priority: 65531] if ($syscall == 3) if ($a0 == 0) if ($a1 >= 1) if ($a2 > 2) if ($a3 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch aarch64 (3221225655) if ($arch == 3221225655) # filter for syscall "open" (4294957130) [priority: 65535] if ($syscall == 4294957130) action KILL; # filter for syscall "exit_group" (94) [priority: 65535] if ($syscall == 94) action LOG; # filter for syscall "exit" (93) [priority: 65535] if ($syscall == 93) action TRACE(1); # filter for syscall "fstat" (80) [priority: 65535] if ($syscall == 80) action KILL_PROCESS; # filter for syscall "close" (57) [priority: 65535] if ($syscall == 57) action ERRNO(1); # filter for syscall "write" (64) [priority: 65527] if ($syscall == 64) if ($a0.hi32 == 0) if ($a0.lo32 == 0) else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; # filter for syscall "read" (63) [priority: 65525] if ($syscall == 63) if ($a0.hi32 == 0) if ($a0.lo32 == 0) if ($a1.hi32 > 0) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a1.hi32 == 0) if ($a1.lo32 >= 1) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch mipsel (1073741832) if ($arch == 1073741832) # filter for syscall "exit_group" (4246) [priority: 65535] if ($syscall == 4246) action LOG; # filter for syscall "fstat" (4108) [priority: 65535] if ($syscall == 4108) action KILL_PROCESS; # filter for syscall "close" (4006) [priority: 65535] if ($syscall == 4006) action ERRNO(1); # filter for syscall "open" (4005) [priority: 65535] if ($syscall == 4005) action KILL; # filter for syscall "exit" (4001) [priority: 65535] if ($syscall == 4001) action TRACE(1); # filter for syscall "write" (4004) [priority: 65532] if ($syscall == 4004) if ($a0 == 0) else if ($a1 > 1) else if ($a2 >= 2) else action TRAP; # filter for syscall "read" (4003) [priority: 65531] if ($syscall == 4003) if ($a0 == 0) if ($a1 >= 1) if ($a2 > 2) if ($a3 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch mipsel64 (3221225480) if ($arch == 3221225480) # filter for syscall "exit_group" (5205) [priority: 65535] if ($syscall == 5205) action LOG; # filter for syscall "exit" (5058) [priority: 65535] if ($syscall == 5058) action TRACE(1); # filter for syscall "fstat" (5005) [priority: 65535] if ($syscall == 5005) action KILL_PROCESS; # filter for syscall "close" (5003) [priority: 65535] if ($syscall == 5003) action ERRNO(1); # filter for syscall "open" (5002) [priority: 65535] if ($syscall == 5002) action KILL; # filter for syscall "write" (5001) [priority: 65527] if ($syscall == 5001) if ($a0.hi32 == 0) if ($a0.lo32 == 0) else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; # filter for syscall "read" (5000) [priority: 65525] if ($syscall == 5000) if ($a0.hi32 == 0) if ($a0.lo32 == 0) if ($a1.hi32 > 0) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a1.hi32 == 0) if ($a1.lo32 >= 1) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch mipsel64n32 (3758096392) if ($arch == 3758096392) # filter for syscall "exit_group" (6205) [priority: 65535] if ($syscall == 6205) action LOG; # filter for syscall "exit" (6058) [priority: 65535] if ($syscall == 6058) action TRACE(1); # filter for syscall "fstat" (6005) [priority: 65535] if ($syscall == 6005) action KILL_PROCESS; # filter for syscall "close" (6003) [priority: 65535] if ($syscall == 6003) action ERRNO(1); # filter for syscall "open" (6002) [priority: 65535] if ($syscall == 6002) action KILL; # filter for syscall "write" (6001) [priority: 65532] if ($syscall == 6001) if ($a0 == 0) else if ($a1 > 1) else if ($a2 >= 2) else action TRAP; # filter for syscall "read" (6000) [priority: 65531] if ($syscall == 6000) if ($a0 == 0) if ($a1 >= 1) if ($a2 > 2) if ($a3 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch ppc64le (3221225493) if ($arch == 3221225493) # filter for syscall "exit_group" (234) [priority: 65535] if ($syscall == 234) action LOG; # filter for syscall "fstat" (108) [priority: 65535] if ($syscall == 108) action KILL_PROCESS; # filter for syscall "close" (6) [priority: 65535] if ($syscall == 6) action ERRNO(1); # filter for syscall "open" (5) [priority: 65535] if ($syscall == 5) action KILL; # filter for syscall "exit" (1) [priority: 65535] if ($syscall == 1) action TRACE(1); # filter for syscall "write" (4) [priority: 65527] if ($syscall == 4) if ($a0.hi32 == 0) if ($a0.lo32 == 0) else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; # filter for syscall "read" (3) [priority: 65525] if ($syscall == 3) if ($a0.hi32 == 0) if ($a0.lo32 == 0) if ($a1.hi32 > 0) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a1.hi32 == 0) if ($a1.lo32 >= 1) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; # default action action ALLOW; # filter for arch riscv64 (3221225715) if ($arch == 3221225715) # filter for syscall "open" (4294957130) [priority: 65535] if ($syscall == 4294957130) action KILL; # filter for syscall "exit_group" (94) [priority: 65535] if ($syscall == 94) action LOG; # filter for syscall "exit" (93) [priority: 65535] if ($syscall == 93) action TRACE(1); # filter for syscall "fstat" (80) [priority: 65535] if ($syscall == 80) action KILL_PROCESS; # filter for syscall "close" (57) [priority: 65535] if ($syscall == 57) action ERRNO(1); # filter for syscall "write" (64) [priority: 65527] if ($syscall == 64) if ($a0.hi32 == 0) if ($a0.lo32 == 0) else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a1.hi32 > 0) else if ($a1.hi32 == 0) if ($a1.lo32 > 1) else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; else if ($a2.hi32 > 0) else if ($a2.hi32 == 0) if ($a2.lo32 >= 2) else action TRAP; else action TRAP; # filter for syscall "read" (63) [priority: 65525] if ($syscall == 63) if ($a0.hi32 == 0) if ($a0.lo32 == 0) if ($a1.hi32 > 0) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a1.hi32 == 0) if ($a1.lo32 >= 1) if ($a2.hi32 > 0) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; else if ($a2.hi32 == 0) if ($a2.lo32 > 2) if ($a3.hi32 & 0x00000000 == 0) if ($a3.lo32 & 0x0000000f == 3) action KILL; # default action action ALLOW; # invalid architecture action action KILL; # # pseudo filter code end #