Add configurable event dropping for falco engine.

Add the ability to drop events at the falco engine level in a way that can scale with the dropping that already occurs at the kernel/inspector level. New inline function should_drop_evt() controls whether or not events are matched against the set of rules, and is controlled by two values--sampling ratio and sampling multiplier. Here's how the sampling ratio and multiplier influence whether or not an event is dropped in should_drop_evt(). The intent is that m_sampling_ratio is generally changing external to the engine e.g. in the main inspector class based on how busy the inspector is. A sampling ratio implies no dropping. Values > 1 imply increasing levels of dropping. External to the engine, the sampling ratio results in events being dropped at the kernel/inspector interface. The sampling multiplier is an amplification to the sampling factor in m_sampling_ratio. If 0, no additional events are dropped other than those that might be dropped by the kernel/inspector interface. If 1, events that make it past the kernel module are subject to an additional level of dropping at the falco engine, scaling with the sampling ratio in m_sampling_ratio. Unlike the dropping that occurs at the kernel level, where the events in the first part of each second are dropped, this dropping is random.
falcosecurity · Aug 10, 2016 · ec32b2a · ec32b2a
1 parent 4df868e
commit ec32b2a
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 4 deletions.
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -1,3 +1,5 @@
+#include <cstdlib>
+#include <unistd.h>
 #include <string>
 #include <fstream>
 
@@ -17,10 +19,13 @@ string lua_print_stats = "print_stats";
 
 using namespace std;
 
-falco_engine::falco_engine()
-	: m_rules(NULL)
+falco_engine::falco_engine(bool seed_rng)
+	: m_rules(NULL), m_sampling_ratio(1), m_sampling_multiplier(0)
 {
-
+	if(seed_rng)
+	{
+		srandom((unsigned) getpid());
+	}
 }
 
 falco_engine::~falco_engine()
@@ -69,6 +74,12 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose)
 
 falco_engine::rule_result *falco_engine::process_event(sinsp_evt *ev)
 {
+
+	if(should_drop_evt())
+	{
+		return NULL;
+	}
+
 	if(!m_evttype_filter.run(ev))
 	{
 		return NULL;
@@ -135,4 +146,28 @@ void falco_engine::add_evttype_filter(list<uint32_t> &evttypes,
 	m_evttype_filter.add(evttypes, filter);
 }
 
+void falco_engine::set_sampling_ratio(uint32_t sampling_ratio)
+{
+	m_sampling_ratio = sampling_ratio;
+}
 
+void falco_engine::set_sampling_multiplier(double sampling_multiplier)
+{
+	m_sampling_multiplier = sampling_multiplier;
+}
+
+inline bool falco_engine::should_drop_evt()
+{
+	if(m_sampling_multiplier == 0)
+	{
+		return false;
+	}
+
+	if(m_sampling_ratio == 1)
+	{
+		return false;
+	}
+
+	double coin = (random() * (1.0/RAND_MAX));
+	return (coin >= (1.0/(m_sampling_multiplier * m_sampling_ratio)));
+}
diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h
@@ -18,7 +18,7 @@
 class falco_engine : public falco_common
 {
 public:
-	falco_engine();
+	falco_engine(bool seed_rng=true);
 	virtual ~falco_engine();
 
 	//
@@ -60,10 +60,53 @@ class falco_engine : public falco_common
 	void add_evttype_filter(list<uint32_t> &evttypes,
 				sinsp_filter* filter);
 
+	//
+	// Set the sampling ratio, which can affect which events are
+	// matched against the set of rules.
+	//
+	void set_sampling_ratio(uint32_t sampling_ratio);
+
+	//
+	// Set the sampling ratio multiplier, which can affect which
+	// events are matched against the set of rules.
+	//
+	void set_sampling_multiplier(double sampling_multiplier);
+
 private:
+
+	//
+	// Determine whether the given event should be matched at all
+	// against the set of rules, given the current sampling
+	// ratio/multiplier.
+	//
+	inline bool should_drop_evt();
+
 	falco_rules *m_rules;
         sinsp_evttype_filter m_evttype_filter;
 
+	//
+	// Here's how the sampling ratio and multiplier influence
+	// whether or not an event is dropped in
+	// should_drop_evt(). The intent is that m_sampling_ratio is
+	// generally changing external to the engine e.g. in the main
+	// inspector class based on how busy the inspector is. A
+	// sampling ratio implies no dropping. Values > 1 imply
+	// increasing levels of dropping. External to the engine, the
+	// sampling ratio results in events being dropped at the
+	// kernel/inspector interface.
+	//
+	// The sampling multiplier is an amplification to the sampling
+	// factor in m_sampling_ratio. If 0, no additional events are
+	// dropped other than those that might be dropped by the
+	// kernel/inspector interface. If 1, events that make it past
+	// the kernel module are subject to an additional level of
+	// dropping at the falco engine, scaling with the sampling
+	// ratio in m_sampling_ratio.
+	//
+
+	uint32_t m_sampling_ratio;
+	double m_sampling_multiplier;
+
 	std::string m_lua_main_filename = "rule_loader.lua";
 };