Escaping Special Characters
Escape special characters in your Falco Rules
In some cases, rules may need to contain special characters like (, spaces, etc. For example, you may need to look for a proc.name of (systemd), including the surrounding parentheses.
You can use " to capture these special characters. Here's an example:
- rule: Any Open Activity by Systemd
desc: Detects all open events by systemd.
condition: evt.type=open and proc.name="(systemd)" or proc.name=systemd
output: "File opened by systemd (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
When including items in lists, ensure that the double quotes are not interpreted from your YAML file by surrounding the quoted string with single quotes. Here's an example:
- list: systemd_procs
items: [systemd, '"(systemd)"']
- rule: Any Open Activity by Systemd
desc: Detects all open events by systemd.
condition: evt.type=open and proc.name in (systemd_procs)
output: "File opened by systemd (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.