1berry/wireshark
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CMake+Falco Events: More offset fixes

Browse Source 
Update our Falco plugins. Update the Falco Events offset handling to
match the current behavior of libscap, the Go SDK, and the CloudTrail
plugin.
This commit is contained in:
Gerald Combs 2025-06-06 09:48:18 -07:00 committed by Gerald Combs
parent c5b9f26003
commit 30ebb90c32
4 changed files with 17 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@ -516,7 +516,7 @@ Windows x64 Package:
- cmake -G "Visual Studio 17 2022" -A x64 - cmake -G "Visual Studio 17 2022" -A x64
-DENABLE_LTO=off -DENABLE_LTO=off
-DBUILD_stratoshark=on -DBUILD_sshdig=on -DBUILD_falcodump=on -DBUILD_stratoshark=on -DBUILD_sshdig=on -DBUILD_falcodump=on
-DFALCO_PLUGINS="C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-03-1-x64-ws/cloudtrail.dll;C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-03-1-x64-ws/gcpaudit.dll" -DFALCO_PLUGINS="C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-11-1-x64-ws/cloudtrail.dll;C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-11-1-x64-ws/gcpaudit.dll"
-DENABLE_SIGNED_NSIS=on .. -DENABLE_SIGNED_NSIS=on ..
- msbuild /verbosity:minimal "/consoleloggerparameters:PerformanceSummary;NoSummary" /maxcpucount Wireshark.sln - msbuild /verbosity:minimal "/consoleloggerparameters:PerformanceSummary;NoSummary" /maxcpucount Wireshark.sln
- msbuild /verbosity:minimal /maxcpucount test-programs.vcxproj - msbuild /verbosity:minimal /maxcpucount test-programs.vcxproj

2
cmake/modules/FetchArtifacts.cmake
View File

@ -138,7 +138,7 @@ if(APPLE)
if(BUILD_stratoshark OR BUILD_falcodump) if(BUILD_stratoshark OR BUILD_falcodump)
add_artifact(falcosecurity-libs/falcosecurity-libs-bundle-0.21.0-1-macos-universal.tar.xz b0ac98e6f1906f891a8aa8c552639a1d6595aee26adfb730da9ff643d5e4bfaf) add_artifact(falcosecurity-libs/falcosecurity-libs-bundle-0.21.0-1-macos-universal.tar.xz b0ac98e6f1906f891a8aa8c552639a1d6595aee26adfb730da9ff643d5e4bfaf)
add_artifact(falcosecurity-libs/falcosecurity-plugins-2025-06-03-1-macos-universal.tar.xz d34149abc6041e7e76a8096151b7a7de842b43a133e696bce2731a3e1f12655d) add_artifact(falcosecurity-libs/falcosecurity-plugins-2025-06-11-1-macos-universal.tar.xz e23c3b3c469f9cc84d509d7880653b8e0743d11a20105188402fec5cef0fde9d)
endif() endif()
endif() endif()

30
plugins/epan/falco_events/sinsp-span.cpp
View File

@ -1006,14 +1006,13 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
std::vector<ss_plugin_extract_field> fields; std::vector<ss_plugin_extract_field> fields;
#if SINSP_CHECK_VERSION(0, 21, 0) #if SINSP_CHECK_VERSION(0, 21, 0)
std::vector<ss_plugin_extract_value_offsets> offsets; ss_plugin_extract_value_offsets offsets = {nullptr, nullptr};
#endif #endif
// PPME_PLUGINEVENT_E events have the following format: // PPME_PLUGINEVENT_E events have the following format:
// | scap_evt header | uint32_t sizeof(id) = 4 | uint32_t evt_datalen | uint32_t id | uint8_t[] evt_data | // | scap_evt header | uint32_t sizeof(id) = 4 | uint32_t evt_datalen | uint32_t id | uint8_t[] evt_data |
uint32_t payload_hdr[3] = {4, evt_datalen, ssi->source->id()}; uint32_t payload_hdr[3] = {4, evt_datalen, ssi->source->id()};
// uint32_t payload_hdr_size = (nparams + 1) * 4;
uint32_t tot_evt_len = (uint32_t)sizeof(scap_evt) + sizeof(payload_hdr) + evt_datalen; uint32_t tot_evt_len = (uint32_t)sizeof(scap_evt) + sizeof(payload_hdr) + evt_datalen;
if (ssi->evt_storage_size < tot_evt_len) { if (ssi->evt_storage_size < tot_evt_len) {
while (ssi->evt_storage_size < tot_evt_len) { while (ssi->evt_storage_size < tot_evt_len) {
@ -1039,9 +1038,6 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
// XXX Handle multiple paths, e.g. in/out byte counts. // XXX Handle multiple paths, e.g. in/out byte counts.
fields.resize(sinsp_field_len); fields.resize(sinsp_field_len);
#if SINSP_CHECK_VERSION(0, 21, 0)
offsets.resize(sinsp_field_len);
#endif
for (size_t i = 0; i < sinsp_field_len; i++) { for (size_t i = 0; i < sinsp_field_len; i++) {
fields.at(i).field_id = sinsp_fields[i].field_id; fields.at(i).field_id = sinsp_fields[i].field_id;
fields.at(i).field = sinsp_fields[i].field_name; fields.at(i).field = sinsp_fields[i].field_name;
@ -1053,14 +1049,11 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
sinsp_fields[i].is_generated = false; sinsp_fields[i].is_generated = false;
sinsp_fields[i].data_start = 0; sinsp_fields[i].data_start = 0;
sinsp_fields[i].data_length = 0; sinsp_fields[i].data_length = 0;
#if SINSP_CHECK_VERSION(0, 21, 0)
offsets.at(i) = {nullptr, nullptr};
#endif
} }
bool status = true; bool status = true;
#if SINSP_CHECK_VERSION(0, 21, 0) #if SINSP_CHECK_VERSION(0, 21, 0)
if (!ssi->source->extract_fields_and_offsets(ssi->evt, sinsp_field_len, fields.data(), offsets.data())) { if (!ssi->source->extract_fields_and_offsets(ssi->evt, sinsp_field_len, fields.data(), &offsets)) {
status = false; status = false;
} }
#else #else
@ -1080,15 +1073,18 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
status = false; status = false;
} }
#if SINSP_CHECK_VERSION(0, 21, 0) #if SINSP_CHECK_VERSION(0, 21, 0)
if (offsets.at(i).start && offsets.at(i).length && offsets.at(i).start[0] >= PLUGIN_EVENT_HEADER_SIZE && offsets.at(i).length[0] > 0) { if (offsets.start && offsets.length) {
// We dissect data in its own TVB, uint32_t start = offsets.start[i];
int start = (int) offsets.at(i).start[0] - PLUGIN_EVENT_HEADER_SIZE; uint32_t length = offsets.length[i];
int length = (int) offsets.at(i).length[0]; if (start >= PLUGIN_EVENT_HEADER_SIZE) {
if (start == 0 && length == 0) { // We dissect data in its own TVB,
sinsp_fields[i].is_generated = true; start -= PLUGIN_EVENT_HEADER_SIZE;
if (start == 0 && length == 0) {
sinsp_fields[i].is_generated = true;
}
sinsp_fields[i].data_start = start;
sinsp_fields[i].data_length = length;
} }
sinsp_fields[i].data_start = start;
sinsp_fields[i].data_length = length;
} }
#endif #endif
} }

4
tools/win-setup.ps1
View File

@ -75,7 +75,7 @@ $X64Archives = @{
"brotli/brotli-1.0.9-1-win64ws.zip" = "3f8d24aec8668201994327ff8d8542fe507d1d468a500a1aec50d0415f695aab"; "brotli/brotli-1.0.9-1-win64ws.zip" = "3f8d24aec8668201994327ff8d8542fe507d1d468a500a1aec50d0415f695aab";
"c-ares/c-ares-1.34.4-x64-windows-ws.zip" = "b82429cce98c164f5a094b172238cea33c130130634a722656bd0981209240cb"; "c-ares/c-ares-1.34.4-x64-windows-ws.zip" = "b82429cce98c164f5a094b172238cea33c130130634a722656bd0981209240cb";
"falcosecurity-libs/falcosecurity-libs-0.21.0-1-x64-ws.7z" = "917eca3b676e1201d48acfbb72660fcd7af4ce40fe5112bb1ce689d957c18c4a"; "falcosecurity-libs/falcosecurity-libs-0.21.0-1-x64-ws.7z" = "917eca3b676e1201d48acfbb72660fcd7af4ce40fe5112bb1ce689d957c18c4a";
"falcosecurity-libs/falcosecurity-plugins-2025-06-03-1-x64-ws.7z" = "666adaca28c221577c866cb17f51409191ddf49e88695aa2d98be7eaf128a762"; "falcosecurity-libs/falcosecurity-plugins-2025-06-11-1-x64-ws.7z" = "35062b7fecd5e2cb01750b28eb154d7abb6d47abcf1c6a7357b8af7a137e72d8";
"gnutls/gnutls-3.8.9-1-x64-mingw-dynamic-ws.zip" = "e673c28e84925a3e4b7d2eff54e6f613c180787b8fc79da0513cb62ba0520449"; "gnutls/gnutls-3.8.9-1-x64-mingw-dynamic-ws.zip" = "e673c28e84925a3e4b7d2eff54e6f613c180787b8fc79da0513cb62ba0520449";
"krb5/krb5-1.21.3-1-x64-windows-ws.zip" = "49b83da4baa476c4c31ed3ee463f962114a469b8c3d601db68bdb6bc03a88e42"; "krb5/krb5-1.21.3-1-x64-windows-ws.zip" = "49b83da4baa476c4c31ed3ee463f962114a469b8c3d601db68bdb6bc03a88e42";
"libgcrypt/libgcrypt-bundle-1.11.1-1-x64-mingw-dynamic-ws.zip" = "2987e0b57f4509c02a26d146950a1bcb630bc0cca57b2dcce54b357936a7db3b"; "libgcrypt/libgcrypt-bundle-1.11.1-1-x64-mingw-dynamic-ws.zip" = "2987e0b57f4509c02a26d146950a1bcb630bc0cca57b2dcce54b357936a7db3b";
@ -107,7 +107,7 @@ $Arm64Archives = @{
"brotli/brotli-1.0.9-1-win64armws.zip" = "5ba1b62ebc514d55c3eae85a00ff107e587b6e7cb1275e2d33fcddcd49f8e2af"; "brotli/brotli-1.0.9-1-win64armws.zip" = "5ba1b62ebc514d55c3eae85a00ff107e587b6e7cb1275e2d33fcddcd49f8e2af";
"c-ares/c-ares-1.34.4-arm64-windows-ws.zip" = "f1cff731bd7d53effebf79dc64f199a82b875ecbfb3049f67e37765e34847a32"; "c-ares/c-ares-1.34.4-arm64-windows-ws.zip" = "f1cff731bd7d53effebf79dc64f199a82b875ecbfb3049f67e37765e34847a32";
"falcosecurity-libs/falcosecurity-libs-0.21.0-1-arm64-ws.7z" = "222a691e704989144c91b08612ab7e0af1a6721a7f0bc3ac17452de3342a654e"; "falcosecurity-libs/falcosecurity-libs-0.21.0-1-arm64-ws.7z" = "222a691e704989144c91b08612ab7e0af1a6721a7f0bc3ac17452de3342a654e";
"falcosecurity-libs/falcosecurity-plugins-2025-06-03-1-arm64-ws.7z" = "637a4c087af1ac57175f60d40f13da999968e1e991aecadad8f604b43404e749"; "falcosecurity-libs/falcosecurity-plugins-2025-06-11-1-arm64-ws.7z" = "3f1850a0547eeb910e455515733e7876f9c5da15624ecd865a4d1714c1d5b604";
"gnutls/gnutls-3.8.9-1-arm64-mingw-dynamic-ws.zip" = "cde2c25696531ea9600c93e0f3ced08f752dba3d10d3b9c5afaf290ffd797068"; "gnutls/gnutls-3.8.9-1-arm64-mingw-dynamic-ws.zip" = "cde2c25696531ea9600c93e0f3ced08f752dba3d10d3b9c5afaf290ffd797068";
"krb5/krb5-1.21.3-1-arm64-windows-ws.zip" = "26166173cb653fdf2153c311a9f611a76575359393222cebd5228842632a0ccb"; "krb5/krb5-1.21.3-1-arm64-windows-ws.zip" = "26166173cb653fdf2153c311a9f611a76575359393222cebd5228842632a0ccb";
"libgcrypt/libgcrypt-bundle-1.11.1-1-arm64-mingw-dynamic-ws.zip" = "a7170343edaa732ab04e76874972291b9875cbd1e394c3bfcee13b89e608719f"; "libgcrypt/libgcrypt-bundle-1.11.1-1-arm64-mingw-dynamic-ws.zip" = "a7170343edaa732ab04e76874972291b9875cbd1e394c3bfcee13b89e608719f";