Alon Zivony
Alon Zivony
## Description For some reason, Tracee prints a warning for each policy that doesn't give filter for address or symbol in the `print_mem_dump` event. It is expected that if a...
We should run tests that all the non-syscall events we have are not generating any errors when run in all kernels. A proposition to do so is to add the...
## Description Recently we changed the pipeline to have the `processEvent` stage, in which processor functions are called for the specific event. We added support there for processor functions which...
## Description In the code of the `send_bin_helper` function, I noticed that we add to the start offset of the chunk when reading `io_vector` the full size of the last...
## Description Went over the captures code, and noticed that the `capture_mem` event has no dependencies other than `send_bin`. ```Go CaptureMem: { id: CaptureMem, id32Bit: Sys32Undefined, name: "capture_mem", version: NewVersion(1,...
## Description Just noticed that I was using the LRU map type for the path cache size. ```C BPF_LRU_HASH(io_file_path_cache_map, file_id_t, path_buf_t, 5); // store cache for IO operations path ```...
Currently we support prefix filters for read/write captures. It make sense to support suffix also. In general. it makes sense to support even both prefix and suffix filters together, but...
We have the exec path, so there is no reason to not support the filters we currently have for read/write captures on the exec filter.
We need to add to the documentation that it is possible to also capture write or read of ELF files as a type filter.
We currently only capture the memory region that the alert is related. However, for real forensics, capturing an ELF file is much better. We can do it by capturing all...