alert lost with http_output because of libcurl timeout #3522

benierc · 2025-04-02T15:39:15Z

Describe the bug

when network is lost, alert is lost after libcurl timeout

How to reproduce it

set a http_output to a falcosidekick:

json_output: true
json_include_output_property: true
http_output:
  enabled: true
  keep_alive: true
  url: "http://YOURHOST:2801/"

disable the network (in my case, i just block port with iptables)

iptables -A OUTPUT -p tcp --dport 2801 -j DROP

launch falco with default rules (in my case in modern ebpf mode)

falco -o engine.kind=modern_ebpf

do a violation

cat /etc/shadow

see falco logs

# falco logs
{"hostname":"test1","output":"17:15:03.434319636: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=sshd ggparent=sshd gggparent=sshd evt_type=openat user=root user_uid=0 user_loginuid=0 process=cat proc_exepath=/usr/bin/cat parent=bash command=cat /etc/shadow terminal=34817 container_id=host container_name=host) TEST 500","output_fields":{"container.id":"host","container.name":"host","evt.num":1915,"evt.time":1743606903434319636,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"sshd","proc.aname[3]":"sshd","proc.aname[4]":"sshd","proc.cmdline":"cat /etc/shadow","proc.exepath":"/usr/bin/cat","proc.name":"cat","proc.pname":"bash","proc.tty":34817,"user.loginuid":0,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-04-02T15:15:03.434319636Z"}
Wed Apr  2 17:15:05 2025: "http" output timeout, all output channels are blocked

# after CURL_TIMEOUT (about 3 minutes)

Wed Apr  2 17:18:07 2025: libcurl failed to perform call: Timeout was reached

Notes

if i reactivate the network before CURL_TIMEOUT the alert is sent
and if i open other /etc/shadow files the other alerts will be sent

Expected behaviour

send the alert when the network is back (at least independently of the curl timeout error)

Environment

Falco version:

Wed Apr 2 17:36:16 2025: Falco version: 0.0.0 (x86_64)
Wed Apr 2 17:36:16 2025: Falco initialized with configuration files:
Wed Apr 2 17:36:16 2025: /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok
Wed Apr 2 17:36:16 2025: /etc/falco/falco.yaml | schema validation: failed for : Object contains a property that could not be validated using 'properties' or 'additionalProperties' constraints: ''.
Wed Apr 2 17:36:16 2025: System info: Linux version 5.14.0-64.baseos.rpbatz.x86_64 (mockbuild@df273706113145ef9e8d3883fda7441d) (gcc (GCC) 11.3.1 20221121 (Red Hat 11.3.1-4), GNU ld version 2.35.2-37.baseos.rpbatz) #1 SMP Mon Sep 11 15:39:09 CEST 2023
{"default_driver_version":"7.3.0+driver","driver_api_version":"8.0.0","driver_schema_version":"2.0.0","engine_version":"43","engine_version_semver":"0.43.0","falco_version":"0.0.0","libs_version":"0.18.1","plugin_api_version":"3.7.0"}

System info:

{
"machine": "x86_64",
"nodename": "test1",
"release": "5.14.0-64.baseos.rpbatz.x86_64",
"sysname": "Linux",
"version": "#1 SMP Mon Sep 11 15:39:09 CEST 2023"
}

Cloud provider or hardware configuration:
OS:

Kernel:
Linux test1 5.14.0-64.baseos.rpbatz.x86_64 Digwatch compiler #1 SMP Mon Sep 11 15:39:09 CEST 2023 x86_64 x86_64 x86_64 GNU/Linux
Installation method:
rpm custom

Additional context

benierc added the kind/bug label Apr 2, 2025

benierc linked a pull request Apr 3, 2025 that will close this issue

fix(userspace/falco): fix outputs_http timeout #3523

Open

FedeDP added this to the 0.41.0 milestone Apr 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

alert lost with http_output because of libcurl timeout #3522

alert lost with http_output because of libcurl timeout #3522

benierc commented Apr 2, 2025

alert lost with http_output because of libcurl timeout #3522

alert lost with http_output because of libcurl timeout #3522

Comments

benierc commented Apr 2, 2025