+ rule: open (type: syscall:entry)
+ actions:
+ notify
+ errors: none
+ errors: none
+ - name: T2
+ owner uid: ${uid}
+ condition: event rule hit
+ rule: open (type: syscall:exit)
+ actions:
+ notify
+ errors: none
+ errors: none
+ - name: T3
+ owner uid: ${uid}
+ condition: event rule hit
+ rule: open (type: syscall:entry+exit)
+ actions:
+ notify
+ errors: none
+ errors: none
+ - name: T4
+ owner uid: ${uid}
+ condition: event rule hit
+ rule: ptrace (type: syscall:entry+exit, filter: a > 2)