feat(filter): Advanced filter rules configuration (#72)

* filters in configuration files

* various adjustments and polishing (emit and kill functions are late-bound, refactor config keys, etc.)

* add more unit tests, change filter group merging to type and category

* adjustments and bug fixes. Make filter AST evaluator capable of testing IP addresses and integers in lists. Start preparing the filter rules files and benchmarking the filter chain.

* operator case-insensitive variants, more filter rules

* Various tweaks and adjustments

- upgrade Go version to 1.16
- add `exe` param to CreateThread events
- some error fixes
- filter function refactoring for the validation method
- new filter rule definitions

* switch yaml.v2 to yaml.v3

* adjust tests

* Complete the default filter rules. Modify the validation schema to contemplate null values in filters.

* skip crashing filament test

* add `uuid` dependency

* fix tests and address lint warnings

Author: rabbitstack

.github/workflows/master.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Adjust pkg-config prefix
@@ -99,7 +99,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Build
@@ -128,7 +128,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -173,7 +173,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:

.github/workflows/pr.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Adjust pkg-config prefix
@@ -82,7 +82,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -127,7 +127,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Adjust pkg-config prefix
@@ -96,7 +96,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.15.x
+           go-version: 1.16.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Get version

configs/fibratus.yml

@@ -93,6 +93,16 @@ filament:
   # Determines how often event batches are propagated to the filament callback function
   #flush-period: 200ms
 
+# =============================== Filters ===============================================
+
+# Contains the definition of filters. Filter expressions are contained in filter group files.
+# Filter group files can reside in the local file system or also can be exposed via HTTP url.
+filters:
+  from-paths:
+  # - C:\Program Files\Fibratus\Config\Filters\Default\default.yml
+  #from-urls:
+  #  - https://raw.githubusercontent.com/rabbitstack/fibratus/master/configs/filters/default/default.yml
+
 # =============================== Handle ===============================================
 
 # Indicates whether initial handle snapshot is built. The snapshot contains the state of system handles.