Condition

[Lichtsinnig]

Hi, thanks for the great utility. Question 1: Tell me how to use "traces" and changing "criticality"

Question 2: Is it possible to create the construction of conditions corresponding to the yara:

Condition: all of them 1 of them (all of ($s)) and !(all of ($x)) $s>10

Question 3: Is there a description of the operators both in yara? https://yara.readthedocs.io/en/v3.4.0/writingrules.html

[qjerome]

Hi,

Sorry for the delay between your issue and my reply but I am quite busy these days.

Question 1:

• a trace is a new rule that is generated on the fly when the rule matched. It is a little bit difficult to explain the concept in short, so I am planning to write a documentation soon to explain deeper Gene rules and the concepts around. Example: "::ProcessGuid = ProcessGuid" Will generate on the fly a rule that match the ProcessGuid field of the event that matched the rule. This way, you can trace other events generated by the same ProcessGuid. The syntax is "[comma separated list of event ids]:[channel(s) comma separated]:[operand to use in the generated rule] [operator (= or ~=)] [field in matching event to extract value from] Sorry for this coarse explaination but like I said, I am currently working on a documentation.

Changing the criticality, you can do it editing the rules.

Question 2: No, it is not yet implemented but it is a nice feature request though. Likely I will implement something of this sort in the next version.

Question 3: The only description of the rule syntax are both on this github README or there https://rawsec.lu/blog/posts/2018/Feb/04/go-evtx-signature-engine/