diff options
Diffstat (limited to 'resources/share/logray')
-rw-r--r-- | resources/share/logray/colorfilters | 14 | ||||
-rw-r--r-- | resources/share/logray/dfilter_buttons | 26 | ||||
-rw-r--r-- | resources/share/logray/profiles/CloudTrail/colorfilters | 4 | ||||
-rw-r--r-- | resources/share/logray/profiles/CloudTrail/preferences | 18 | ||||
-rw-r--r-- | resources/share/logray/profiles/dfilter_buttons | 3 |
5 files changed, 58 insertions, 7 deletions
diff --git a/resources/share/logray/colorfilters b/resources/share/logray/colorfilters index a3c9785f..f2524a9b 100644 --- a/resources/share/logray/colorfilters +++ b/resources/share/logray/colorfilters @@ -1,4 +1,12 @@ # This file was created by Logray. Edit with care. -@Errors@ct.error@[4626,10023,11822][63479,34695,34695] -@State Modifying Event@ct.readonly == "false"@[61423,50372,39578][0,0,0] -@Administrative Activity@cloudtrail and not (ct.name ~ "^Describe.*" or ct.name ~ "^List.*" or ct.name ~ "^(Batch|)Get.*")@[61423,50372,39578][0,0,0] +@Failed Syscall@(evt.failed == True) && !(evt.res == "EAGAIN") && !(evt.res == "EALREADY")@[56797,28270,24158][0,0,0] +@Falco Notifications@sysdig.event_name == "notification"@[0,0,0][65535,65535,65535] +@Command Executions@evt.type == "execve"@[38807,57568,17990][0,0,0] +@New Process Creations@evt.type=="clone" || evt.type=="fork"@[14649,28013,14906][65535,65535,65535] +@Socket Syscalls@evt.type == "connect" || evt.type == "accept" || evt.type == "socket" || evt.type == "bind"@[20303,26214,51143][65535,65535,65535] +@Net Writes@(evt.is_io == True) && (evt.category == "net") && (evt.is_io_write == True)@[24672,53713,51657][0,0,0] +@Net Reads@(evt.is_io == True) && (evt.category == "net")@[29812,64764,62451][0,0,0] +@File Opens@evt.type == "open" || evt.type == "openat" || evt.type == "openat2"@[31611,24415,13621][65535,65535,65535] +@File Writes@(evt.is_io == True) && (evt.category == "file") && (evt.is_io_write == True)@[60138,48059,37522][0,0,0] +@File Reads@(evt.is_io == True) && (evt.category == "file")@[61423,53970,40349][0,0,0] +@FD Closes@evt.type == "close"@[27499,27499,27499][65535,65535,65535] diff --git a/resources/share/logray/dfilter_buttons b/resources/share/logray/dfilter_buttons index 57b024b5..7ad8ba3b 100644 --- a/resources/share/logray/dfilter_buttons +++ b/resources/share/logray/dfilter_buttons @@ -1,5 +1,23 @@ # This file is automatically generated, DO NOT MODIFY. -"TRUE","S3","ct.shortsrc == \x22s3\x22","S3 events" -"TRUE","EC2","ct.shortsrc == \x22ec2\x22","EC2 events" -"TRUE","S3 PutObject","ct.name == \x22PutObject\x22","" -"TRUE","Writes","ct.readonly == \x22false\x22","" +"TRUE","Cmd // Interactive Command Executions","evt.type == \x22execve\x22 and evt.dir == \x22<\x22 and (proc.pname == \x22bash\x22 or proc.pname == \x22zsh\x22 or proc.pname == \x22tcsh\x22 or proc.pname == \x22ksh\x22 or proc.pname == \x22fish\x22)","List the command executions (eceve system call)" +"TRUE","Cmd // All Command Executions","evt.type == \x22execve\x22","List the command executions (eceve system call)" +"TRUE","File // All File Activity","evt.category == \x22file\x22","Display activity on files" +"TRUE","File // Opens","evt.type == \x22open\x22 || evt.type == \x22openat\x22 || evt.type == \x22openat2\x22","Display file open events (open, openat...)" +"TRUE","File // Reads/Writes","evt.category==\x22file\x22 && evt.is_io == True","" +"TRUE","File // Writes","evt.category==\x22file\x22 && evt.is_io == True && evt.is_io_write == True","" +"FALSE","File // Opens W","(evt.type == \x22open\x22 || evt.type == \x22openat\x22 || evt.type == \x22openat2\x22) && (evt.is_open_write == True)","Display file open events (open, openat...) where the file has been open with \x22write\x22 flags" +"TRUE","File // File Deletions","(evt.type == \x22unlink\x22 || evt.type == \x22unlinkat\x22 || evt.type == \x22rmdir\x22) && evt.dir == \x22<\x22","" +"TRUE","File // Symlink Creation","(evt.type == \x22symlink\x22 || evt.type == \x22symlinkat\x22) && evt.dir == \x22<\x22","" +"TRUE","Network // All Network Activity","evt.category==\x22net\x22","Display activity on the network" +"TRUE","Network // Reads/Writes","evt.category==\x22net\x22 && evt.is_io == True","" +"TRUE","Network // Outbound Connection Requests","evt.type == \x22connect\x22","Show the client-side network connection attempts" +"TRUE","Network // Inbound Connection Requests","evt.type == \x22accept\x22","Show the server-side network connection reception" +"TRUE","Network // Port Opens","evt.type == \x22bind\x22","Show the server-side network connection reception" +"FALSE","I/O","evt.is_io == True","Show all IO system calls (read/write/sendto...)" +"FALSE","I/O W","(evt.is_io == True) && (evt.is_io_write == True)","Show all of the I/O system calls that write content on file descriptors (write, sendto...)" +"TRUE","Misc // Falco Events","sysdig.event_name == \x22notification\x22","This finds the Falco notifications that have been embedded into captures. It allows to quickly go to the place where something happened" +"TRUE","Misc // Process/Thread Creation","evt.type == \x22clone\x22 || evt.type == \x22clone3\x22 || evt.type == \x22fork\x22 || evt.type == \x22vfork\x22","Selects that system calls that failed" +"TRUE","Misc // Failed System Calls","(evt.failed == True) && !(evt.res == \x22EAGAIN\x22) && !(evt.res == \x22EALREADY\x22)","Selects that system calls that failed" +"TRUE","Misc // Writes to Log Files","evt.is_io_write == True && evt.dir == \x22<\x22 && (fd.name contains \x22/var/log\x22 || fd.name contains \x22.log\x22 || fd.name contains \x22_log\x22)","Selects that system calls that failed" +"TRUE","Misc // Writes to System Files","evt.is_io_write == True && evt.dir == \x22<\x22 && (fd.name matches \x22^/bin/\x22 || fd.name matches \x22^/sbin/\x22 || fd.name matches \x22^/boot/\x22 || fd.name matches \x22^/etc/\x22 || fd.name matches \x22^/lib/\x22 || fd.name matches \x22^/usr/bin/\x22 || fd.name matches \x22^/usr/sbin/\x22 || fd.name matches \x22^/usr/share/\x22 || fd.name matches \x22^/usr/lib\x22)","Selects that system calls that failed" +"TRUE","Misc // Kernel Modules Loading","evt.type==init_module || evt.type==finit_module","Selects that system calls that failed" diff --git a/resources/share/logray/profiles/CloudTrail/colorfilters b/resources/share/logray/profiles/CloudTrail/colorfilters new file mode 100644 index 00000000..cdd1d217 --- /dev/null +++ b/resources/share/logray/profiles/CloudTrail/colorfilters @@ -0,0 +1,4 @@ +# This file was created by Logray. Edit with care. +@Errors@ct.error@[4626,10023,11822][63479,34695,34695] +@State Modifying Event@ct.readonly == "false"@[61423,50372,39578][0,0,0] +@Administrative Activity@falcobridge.id == 2 and not (ct.name ~ "^Describe.*" or ct.name ~ "^List.*" or ct.name ~ "^(Batch|)Get.*")@[61423,50372,39578][0,0,0] diff --git a/resources/share/logray/profiles/CloudTrail/preferences b/resources/share/logray/profiles/CloudTrail/preferences new file mode 100644 index 00000000..464f0424 --- /dev/null +++ b/resources/share/logray/profiles/CloudTrail/preferences @@ -0,0 +1,18 @@ +# Configuration file for Logray +# +# Packet list column format +# Each pair of strings consists of a column title and its format +gui.column.format: + "No.", "%m", + "Time", "%t", + "Source", "%s", + "Destination", "%d", + "Length", "%L", + "Service", "%Cus:ct.shortsrc:0:R", + "Region", "%Cus:ct.region:0:R", + "Bucket/Instance", "%Cus:s3.bucket || ec2.name:0:R", + "User Name", "%Cus:ct.user:0:R", + "Event Name", "%Cus:ct.name:0:R", + "User IP", "%Cus:ct.srcip:0:R", + "Info", "%i" + diff --git a/resources/share/logray/profiles/dfilter_buttons b/resources/share/logray/profiles/dfilter_buttons new file mode 100644 index 00000000..d94b2178 --- /dev/null +++ b/resources/share/logray/profiles/dfilter_buttons @@ -0,0 +1,3 @@ +# This file is automatically generated, DO NOT MODIFY. +"TRUE","Errors","ct.error","" +"TRUE","Modify Events","ct.readonly == false","" |