Closed reece394 closed 8 months ago
alexkornitzer
commented
8 months ago Ah awesome, very nice to see some native chainsaw rules being written.
Could you please raise an issue for the rule loading issue and provide an example, then I can get it fixed.
reece394
commented
8 months ago Ah awesome, very nice to see some native chainsaw rules being written.
Could you please raise an issue for the rule loading issue and provide an example, then I can get it fixed.
My attempts to reproduce this haven't been successful so far but if I come across a clear reproducible case I will. (Could have been something else as I was doing a lot of changes to the rules during testing)
These are based on the sigma rules here with several adjustments made based on research specifically for these rules.
Attached is a series of log files I used during my testing EVTX_7045.zip. These were custom made in a virtual machine due to lack of samples available (Especially for Remote Access Tools) in addition to using the evtx samples from Hayabusa-sample-evtx. Most of the rules are accounted for in these samples however some I relied on the docs for the tools to generate the rules.
Thanks again for your assistance in #149 as without this I would have hit a brick wall. The only issue I had during testing and writing the rules is that sometimes the rules would not load. I believe this is because when I was testing I had blank space at the bottom of the file i.e. empty lines?/ potentially tab/padding issues. It would be nice to have the linter pick up on this when running the rule through lint if it is possible.