Closed Lichtsinnig closed 5 years ago
Hi,
What do you mean by "register-independent regexp"? Concerning traces, there is a detailed explaination with one example here: http://www.rawsec.lu/doc/gene/1.4/writerules.html#traces-format You can find many other rules with traces in the rule repository: https://github.com/0xrawsec/gene-rules Otherwise, you can apply the simple rule just below on some sysmon log where you know cmd.exe has been executed to see what's happening
{
"Name": "Test",
"Tags": [],
"Meta": {
"EventIDs": [1],
"Channels": ["Microsoft-Windows-Sysmon/Operational"],
"Computers": [],
"Traces": [
"*::ProcessGuid = ProcessGuid",
"*::ParentProcessGuid = ProcessGuid"
],
"Criticality": 0,
"Author": "0xrawsec"
},
"Matches": [
"$ct: Image ~= '(?i:cmd\\.exe)'"
],
"Condition": "$hash"
}
What do you mean by "register-independent regexp"? insensitive. Case insensitive match (ignores case)
For everything related to regexp have please have a look at: https://golang.org/pkg/regexp/syntax/ as explained in the Gene documentation.
Basically, you have to use (?flags:re) set flags during re; non-capturing
with flags containing i
flag
1)How to make register-independent regexp? I did`t find the command line options. 2) Please write examples of using traces