Skip to content

Functional poison implementation. Issue #177#284

Merged
haesbaert merged 2 commits into
mainfrom
poison
Dec 12, 2025
Merged

Functional poison implementation. Issue #177#284
haesbaert merged 2 commits into
mainfrom
poison

Conversation

@haesbaert
Copy link
Copy Markdown
Collaborator

@haesbaert haesbaert commented Nov 21, 2025
edited
Loading 

This adds a rule that makes it possible to "poison" all the matching events with
a specific `poison_tag`.

The tag is propagated to all its children, and further rules can match on the
specified tag, so for example, if one wanted to drop all the descendants of
bash, he could do:

/* Make a rule that poisons all my own children */
poison_rule = quark_ruleset_append_rule(&ruleset, RA_POISON, 7)
quark_rule_match_ppid(rule, getpid())

/* Drop all events that match my own children (the poison tag) */
drop_rule = quark_ruleset_append_rule(&ruleset, RA_DROP, 0);
quark_rule_match_poison(drop_rule, 7);

The idea is we can use this to drop trees of processes that match a certain
parameter.Poison because the tag "poisons" all its children.

@haesbaert
Functional poison implementation. Issue #177
26d7d50 
This adds a rule that makes it possible to "poison" all the matching events with
a specific `poison_tag`.

The tag is propagated to all its children, and further rules can match on the
specified tag, so for example, if one wanted to drop all the descendants of
bash, he could do:

/* Make a rule that poisons all my own children */
poison_rule = quark_ruleset_append_rule(&ruleset, RA_POISON, 7)
quark_rule_match_ppid(rule, getpid())

/* Drop all events that match my own children (the poison tag) */
drop_rule = quark_ruleset_append_rule(&ruleset, RA_DROP, 0);
quark_rule_match_poison(drop_rule, 7);

The idea is we can use this to drop trees of processes that match a certain
parameter.
@haesbaert haesbaert changed the title Functional poison implementation, needs more work. Functional poison implementation. Issue https://github.com/elastic/quark/issues/177 Dec 10, 2025
@haesbaert haesbaert changed the title Functional poison implementation. Issue https://github.com/elastic/quark/issues/177 Functional poison implementation. Issue #177 Dec 10, 2025
@haesbaert haesbaert marked this pull request as ready for review December 10, 2025 15:21
@haesbaert haesbaert requested a review from a team as a code owner December 10, 2025 15:21
This was referenced Dec 11, 2025
Merged
Merged
@haesbaert haesbaert merged commit 3a4650d into main Dec 12, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haesbaert @nicholasberlin