Point it to fetch files from falcosecurity/libs repo.
Moreover, add support for blank spaces in param names.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Fix some issues discovered by common python linters including:
* switch `None` comparisons to use `is` rather than `==`. Identity !=
equality, and I've spent 40+ hours before tracking down a subtle bug
caused by exactly this issue. Note that this may introduce a problem if
one of the scripts is depending on this behavior, in which case the
comparison should be changed to `True`/`False` rather than `None`.
* Use `except Exception:` as bare `except:` statements have been
discouraged for years. Ideally for some of these we'd examine if there
were specific exceptions that should be caught, but for now I simply
caught all. Again, this could introduce very subtle behavioral changes
under Python 2, but IIUC, that was all fixed in Python 3, so safe to
move to `except Exception:`.
* Use more idiomatic `if not x in y`--> `if x not in y`
* Use more idiomatic 2 blank lines. I only did this at the beginning,
until I realized how overwhelming this was going to be to apply, then I
stopped.
* Add a TODO where an undefined function name is called, so will fail
whenever that code is run.
* Add more idiomatic spacing around `:`. This is also only partially
cleaned up, as I gave up when I saw how `asn2wrs.py` was clearly
infatuated with the construct.
* Various other small cleanups, removed some trailing whitespace and
improper indentation that wasn't a multiple of 4, etc.
There is still _much_ to do, but I haven't been heavily involved with
this project before, so thought this was a sufficient amount to put up
and see what the feedback is.
Linters that I have enabled which highlighted some of these issues
include:
* `pylint`
* `flake8`
* `pycodestyle`
"int * const a[]" means "array of const pointers to (non-const) int". so
the array elements are all const; "const int *a[]" means "array of
(non-const) pointrs to const int".
Change-Id: I0571fde7704570b60c9cbd5d94826365ff35abe0
Reviewed-on: https://code.wireshark.org/review/37546
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Call exit_msg(), not just print().
Change-Id: I3ca59b262285222e5f54045244b6eeaa31fa363e
Reviewed-on: https://code.wireshark.org/review/37530
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Catch particular exceptions and print a more detailed error.
Change-Id: Ied98c6d0bc0410eb8b9cb2a98f7264e980c2bb28
Reviewed-on: https://code.wireshark.org/review/37529
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Convert generate-sysdig-event.py to Python 3. Update it to fetch from
the current version of Sysdig (0.26.1). Add logic to work around
mismatched parameter counts and mismatched types and formats.
The following warnings were generated:
WARNING: Forcing semget INT32 format to DEC. Params: [('key', 'INT32', 'HEX'), ('nsems', 'INT32', 'DEC'), ('semflg', 'FLAGS32', 'HEX')]
WARNING: Forcing notification STRING format to NONE. Params: [('id', 'CHARBUF', 'DEC'), ('desc', 'CHARBUF', 'NA')]
WARNING: Forcing infra STRING format to NONE. Params: [('source', 'CHARBUF', 'DEC'), ('name', 'CHARBUF', 'NA'), ('description', 'CHARBUF', 'NA'), ('scope', 'CHARBUF', 'NA')]
WARNING: seccomp: found 2 parameters. Expected 1. Params: [('op', 'UINT64', 'DEC'), ('flags', 'UINT64', 'HEX')]
Bug: 15826
Change-Id: I5f8a7530f1003270cbbcb1f7dfd86f7b63066bba
Reviewed-on: https://code.wireshark.org/review/33513
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Federico Di Pierro