falco -b option affects condition evaluation on filters like evt.arg.x #3437
Description
Describe the bug / how to reproduce it
Technically, the -b option is used to print buffers in base64 instead of raw string. I have tried it with the following rule:
- rule: Read test
desc: Read!
condition: "(evt.type = read) and (evt.dir=<) and (evt.arg.data contains 'my favorite string')"
output: Read the magic string (%evt.arg.data) from %proc.name and user %user.loginname with the following cmdline %proc.cmdline
priority: ERROR
tags:
- test1sudo docker run -v $(pwd)/rule_read.yaml:/etc/falco/falco_rules.local.yaml --name falco --rm -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco:0.39.1 falco -A -b
Then echo "my favorite string" in another terminal. Nothing appears, but if I remove the -b option from the Falco CLI it works. I suspect that the filter is also applying base64 encoding? 🤔
Expected behaviour
Rule triggers both with and without -b
Screenshots
Environment
- Falco version: Tested with 0.38.x and 0.39.x, same behavior
- System info:
{
"machine": "x86_64",
"nodename": "87501b3e2718",
"release": "6.8.0-1015-aws",
"sysname": "Linux",
"version": "#16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024"
}
- Cloud provider or hardware configuration: EC2
- OS: Ubuntu 22.04
- Kernel:
Linux 6.8.0-1015-aws #16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
- Installation method: Docker
Additional context