Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alert deduplication #1

Open
mssalvatore opened this issue Aug 2, 2020 · 4 comments
Open

Alert deduplication #1

mssalvatore opened this issue Aug 2, 2020 · 4 comments
Assignees
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@mssalvatore
Copy link
Owner

Because inotify may send multiple events in rapid succession (i.e. IN_CREATE followed by IN_ATTRIB), duplicate alerts often get logged. Add code to avoid generating identical alerts.

Moved from OWWatcher mssalvatore/owwatcher#1

@mssalvatore mssalvatore added bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed labels Aug 2, 2020
@ydocsgnillats
Copy link

Hey, I'd like to help with this issue if it is still available!

@mssalvatore
Copy link
Owner Author

@ydocsgnillats It's all yours!

@ydocsgnillats
Copy link

@mssalvatore Thanks! So I know I will need to add to the tmpwatcher.py file. To make sure I understand correctly, you want to stop multiples of the same event being logged or the same event type(IN_CREATE, IN_ATTRIB, etc.) being logged more than once?

@mssalvatore
Copy link
Owner Author

When TmpWatcher sends alerts, they generally look something like, WARNING - Found permissions matching mask 077 on file: /tmp/1

You'll note, there's no distinction between whether or not that alert is as a result of creation or a change to the permissions. If inotify sends those 2 events in rapid succession, TmpWatcher will therefore send identical alerts, which is unnecessary.

Most likely, you'll want to modify _should_send_alert() to check if this alert is identical to the previous alert.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants