Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEAT] tracee source flag #4425

Open
NDStrahilevitz opened this issue Dec 12, 2024 · 4 comments
Open

[FEAT] tracee source flag #4425

NDStrahilevitz opened this issue Dec 12, 2024 · 4 comments
Assignees
Milestone

Comments

@NDStrahilevitz
Copy link
Collaborator

  1. Remove analyze subcommand
  2. Integrate functionality as a source flag in tracee - "analyze" will merely be a reingestion of event input into the pipeline
  3. Split pipeline beginning into an interface for a source program
  4. Two implemented source subprograms - eBPF and json file - which can feed the pipeline
  5. Open Question: How do we prevent an already derived event from rederiving and introducing duplicates in the output
@NDStrahilevitz NDStrahilevitz added this to the v0.24.0 milestone Dec 12, 2024
@NDStrahilevitz NDStrahilevitz self-assigned this Dec 12, 2024
@geyslan
Copy link
Member

geyslan commented Dec 12, 2024

  1. The old idea of having a pipeline object would solve it. It would have a derived flag to be checked.

@NDStrahilevitz
Copy link
Collaborator Author

  1. The old idea of having a pipeline object would solve it. It would have a derived flag to be checked.

So when ingesting an event from a file can we by default mark it as "resolved" "derived" or whatever? Because consider that a usecase of analyze is exactly testing new signatures and event derivations.

@geyslan
Copy link
Member

geyslan commented Dec 12, 2024

So when ingesting an event from a file can we by default mark it as "resolved" "derived" or whatever? Because consider that a usecase of analyze is exactly testing new signatures and event derivations.

I suppose so, since they're the final output from pipeline already - or am I missing some corner case?

@NDStrahilevitz
Copy link
Collaborator Author

So when ingesting an event from a file can we by default mark it as "resolved" "derived" or whatever? Because consider that a usecase of analyze is exactly testing new signatures and event derivations.

I suppose so, since they're the final output from pipeline already - or am I missing some corner case?

That we would miss these events in the context of testing new signatures/derived evens/general affects of "plugins", which is one of the point of (what was) analyze.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants