I would like to implement an alert system based on karton-config-extractor, where it would alert/log about specific cases where there are YARA matches by rules in the modules but still we don't get a config.
In the current implementation of push_procmem it is hard to know if there aren't any YARA matches or there are, but extraction failed since both cases return None. There are debug logs, but at scale and when running as a service it is not ideal. It would be nice if there was any way to distinguish the different cases.
The issue I see is that if an Enum is used:
from enum import Enum
ProcmemAnalysisResult = Enum("ProcmemAnalysisResult", ["NoYaraMatch", "NoConfigExtracted"])
Then essentially NoYaraMatch is 1, and returning it instead of None may break backwards compatibility. Maybe if you point all of these to be None, then it would retain the same logic as there is now.
Hey guys!
I would like to implement an alert system based on
karton-config-extractor, where it would alert/log about specific cases where there are YARA matches by rules in the modules but still we don't get a config.In the current implementation of
push_procmemit is hard to know if there aren't any YARA matches or there are, but extraction failed since both cases returnNone. There are debug logs, but at scale and when running as a service it is not ideal. It would be nice if there was any way to distinguish the different cases.The issue I see is that if an Enum is used:
Then essentially
NoYaraMatchis 1, and returning it instead ofNonemay break backwards compatibility. Maybe if you point all of these to beNone, then it would retain the same logic as there is now.