search

0xrawsec / gene

Signature engine for all your logs
GNU General Public License v3.0
156 stars 17 forks source link

regexp #3

Closed Lichtsinnig closed 5 years ago

Lichtsinnig commented 6 years ago

1)How to make register-independent regexp? I did`t find the command line options. 2) Please write examples of using traces

qjerome commented 6 years ago

Hi,

What do you mean by "register-independent regexp"? Concerning traces, there is a detailed explaination with one example here: http://www.rawsec.lu/doc/gene/1.4/writerules.html#traces-format You can find many other rules with traces in the rule repository: https://github.com/0xrawsec/gene-rules Otherwise, you can apply the simple rule just below on some sysmon log where you know cmd.exe has been executed to see what's happening

{
  "Name": "Test",
  "Tags": [],
  "Meta": {
    "EventIDs": [1],
    "Channels": ["Microsoft-Windows-Sysmon/Operational"],
    "Computers": [],
    "Traces": [
      "*::ProcessGuid = ProcessGuid",
      "*::ParentProcessGuid = ProcessGuid"
    ],
    "Criticality": 0,
    "Author": "0xrawsec"
  },
  "Matches": [
    "$ct: Image ~= '(?i:cmd\\.exe)'"
  ],
  "Condition": "$hash"
}
Lichtsinnig commented 6 years ago

What do you mean by "register-independent regexp"? insensitive. Case insensitive match (ignores case)

qjerome commented 6 years ago

For everything related to regexp have please have a look at: https://golang.org/pkg/regexp/syntax/ as explained in the Gene documentation. Basically, you have to use (?flags:re) set flags during re; non-capturing with flags containing i flag