blob: 8d3c53b5c9410bf04212ba4d43fc50b2debb7547 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
#
# pseudo filter code start
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
# filter for syscall "exit" (60) [priority: 65535]
if ($syscall == 60)
action TRACE(1);
# filter for syscall "fstat" (5) [priority: 65535]
if ($syscall == 5)
action KILL_PROCESS;
# filter for syscall "close" (3) [priority: 65535]
if ($syscall == 3)
action ERRNO(1);
# filter for syscall "open" (2) [priority: 65535]
if ($syscall == 2)
action KILL;
# filter for syscall "write" (1) [priority: 65527]
if ($syscall == 1)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
else
if ($a1.hi32 > 0)
else
if ($a1.hi32 == 0)
if ($a1.lo32 > 1)
else
if ($a2.hi32 > 0)
else
if ($a2.hi32 == 0)
if ($a2.lo32 >= 2)
else
action TRAP;
else
action TRAP;
else
if ($a2.hi32 > 0)
else
if ($a2.hi32 == 0)
if ($a2.lo32 >= 2)
else
action TRAP;
else
action TRAP;
else
if ($a1.hi32 > 0)
else
if ($a1.hi32 == 0)
if ($a1.lo32 > 1)
else
if ($a2.hi32 > 0)
else
if ($a2.hi32 == 0)
if ($a2.lo32 >= 2)
else
action TRAP;
else
action TRAP;
else
if ($a2.hi32 > 0)
else
if ($a2.hi32 == 0)
if ($a2.lo32 >= 2)
else
action TRAP;
else
action TRAP;
# filter for syscall "read" (0) [priority: 65525]
if ($syscall == 0)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
if ($a1.hi32 > 0)
if ($a2.hi32 > 0)
if ($a3.hi32 & 0x00000000 == 0)
if ($a3.lo32 & 0x0000000f == 3)
action KILL;
else
if ($a2.hi32 == 0)
if ($a2.lo32 > 2)
if ($a3.hi32 & 0x00000000 == 0)
if ($a3.lo32 & 0x0000000f == 3)
action KILL;
else
if ($a1.hi32 == 0)
if ($a1.lo32 >= 1)
if ($a2.hi32 > 0)
if ($a3.hi32 & 0x00000000 == 0)
if ($a3.lo32 & 0x0000000f == 3)
action KILL;
else
if ($a2.hi32 == 0)
if ($a2.lo32 > 2)
if ($a3.hi32 & 0x00000000 == 0)
if ($a3.lo32 & 0x0000000f == 3)
action KILL;
# default action
action ALLOW;
# filter for arch x86 (1073741827)
if ($arch == 1073741827)
# filter for syscall "fstat" (108) [priority: 65535]
if ($syscall == 108)
action KILL_PROCESS;
# filter for syscall "close" (6) [priority: 65535]
if ($syscall == 6)
action ERRNO(1);
# filter for syscall "open" (5) [priority: 65535]
if ($syscall == 5)
action KILL;
# filter for syscall "exit" (1) [priority: 65535]
if ($syscall == 1)
action TRACE(1);
# filter for syscall "write" (4) [priority: 65532]
if ($syscall == 4)
if ($a0 == 0)
else
if ($a1 > 1)
else
if ($a2 >= 2)
else
action TRAP;
# filter for syscall "read" (3) [priority: 65531]
if ($syscall == 3)
if ($a0 == 0)
if ($a1 >= 1)
if ($a2 > 2)
if ($a3 & 0x0000000f == 3)
action KILL;
# default action
action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
|
