Rafael David Tinoco

icon indicating an email [email protected]

icon company Listen.dev icon location Bletchley Park icon location Developer at listen.dev. Former Tracee (eBPF) Core Dev. Former Ubuntu Core Dev. C, Go, Python, eBPF, Kernel, Virtualization, Networking, Security, AI.

Results 213 comments of Rafael David Tinoco

Feature/virtual mem flags parse

> If this library will be used on the flag from a different machine than the one it was traced in, then the function will return the wrong flag. You're...

Add filters to file capture

Are we talking about the real capture events ? Or tracing events ? It was not clear to me here. Because scopes also can't use capture events, and the description...

Add filters to file capture

Ok, its clear now. Yes that is something we should do for capture artifacts indeed. The pcap capturing allows you to do that iirc: ``` To capture network traffic and...

Tracee has too many errors when running in v6.5 with a real world cmdline/policy

This should be addressed together with https://github.com/aquasecurity/tracee/issues/3357 (when tracee starts testing all non syscall events on its e2e testing).

tracee e2e tests are too slow now

A good idea from @roikol today was to split each test in different scopes/policies. This way we can have multiple tests running together and identify each of the detections per...

Document missing events

Will "finish" this beginning next week (during freeze) as this can be changed during freeze period (no logic changes whatsoever).

"security_socket_xxxx" events sometimes have wrong "port" values (connect/accept)

Well only enabling the events for me I start getting events with `sin_port == 0`. ``` {"timestamp":1702952866110010631,"threadStartTime":1702947555895062735,"processorId":7,"processId":752615,"cgroupId":4576,"threadId":752639,"parentProcessId":1,"hostProcessId":752615,"hostThreadId":752639,"hostParentProcessId":1,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ThreadPoolForeg","executable":{"path":""},"hostName":"rugged","containerId":"","container":{},"kubernetes":{},"eventId":"735","eventName":"security_socket_connect","matchedPolicies":[""],"argsNum":3,"returnValue":0,"syscall":"connect","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":1484817851,"processEntityId":2039491600,"parentEntityId":1975426032,"args":[{"name":"sockfd","type":"int","value":2},{"name":"type","type":"string","value":"SOCK_DGRAM"},{"name":"remote_addr","type":"struct sockaddr*","value":{"sa_family":"AF_INET","sin_addr":"104.244.42.2","sin_port":"0"}}]} ``` The `security_socket_connect()` probe also runs before: ```C err = READ_ONCE(sock->ops)->connect(sock, (struct...

New Event Structure

Has the event type serialization, using protobufs, ever been tested? I'm particularly concerned about: > Protocol buffers tend to assume that entire messages can be loaded into memory at once...

New Event Structure

Good to know that.

New Event Structure

> This is available in the `sched_process_exec` event and (I think) in the process tree and its data source. When process tree was being created there was a specific discussion...