--skip-errors fails on File System errors

[dsplice]

It appears that issue #49 https://github.com/countercept/chainsaw/issues/49#issue-1072543106 has returned. This is with V2.0.0-beta.2

[alexkornitzer]

-I can't seem to replicate this, are you able to show the output you got and the command you ran so I can hopefully use that to work out what is going on?-

Scrap that I think I found it, just prepping a new build now.

[alexkornitzer]

This should be fixed in 2.0.0-beta.3 assuming I have caught the right bug, please could you check if this build fixes it?

[dsplice]

[alexkornitzer]

Ah damn, thanks for the above though, can see exactly where that has fallen into. Right lets see if I managed to fix the above with beta 4! Apologies for the build spam.

[dsplice]

All good! Happy to help in any little way I can.

[alexkornitzer]

Did that work? Happy for me to close this issue out?

[dsplice]

I just downloaded to try it. Seems Windows Defender detects it as malware.

[alexkornitzer]

Weird it should only potentially think its malware if it the zip containing the attack samples too. Which it doesn't look like you downloaded in the above.

[dsplice]

Latest update of the malware definitions fixed the false positive. However the error is still there.

[alexkornitzer]

Good you got that sorted, but ah damn, okay still the same error message as you posted above?

[alexkornitzer]

Okay I am a tad stumped with this one as I just booted my windows VM and pointed Chainsaw at the C:\ drive and it ran through to the end when --skip-errors was enabled. Just to double check based on the (1) in your screenshot above, you definitely ran beta 4 and not 3 right?

[dsplice]

I verified the version, beta 4. This was run against a vhdx, so that could be an issue too. If it works everywhere else (and seems to), I would just chalk it up to a weird edge case.

[alexkornitzer]

What error message are you getting now, because if its a different one, then it will be a different code path we have not caught. If it is the same error message then I am very confused because I am about 90% sure that I have caught that one. But yep worst case we can close this out until it happens again, but I would prefer to get it squashed.

[dsplice]

Same exact error. I can provide screenshot tomorrow.

[alexkornitzer]

Okay lets have a look tomorrow, you might have to just let me know what you are running on and I will try and replicate that as close as possible but that error message is definitely guarded away now.

https://github.com/countercept/chainsaw/blob/master/src/file/mod.rs#L299-L302

    } else if skip_errors {
        cs_eyellowln!("[!] Specified path does not exist - {}", path.display());
    } else {
        anyhow::bail!("Specified event log path is invalid - {}", path.display());
    }

[dsplice]

I am running it on a KAPE triage image (VHDX) taken from a full disk image (E01). Here is a screenshot of the root directory.

[FranticTyping]

Hey @dsplice

Thanks for sending over the screenshot, that helps.

Just to make sure we’re all on the same page, could you send across a screenshot showing the full command you’re using and the error you see, and also a screenshot of the output of chainsaw.exe —version please?

Can you also check that you’re running chainsaw with elevated privileges?

Thanks!

[dsplice]

If I run it with the target of D:/D (subdirectory without System Volume Info) it runs fine. Just on the SVI directory.

[FranticTyping]

@dsplice that's great, thanks!

Can you try running that command again with the --skip-errors flag, e.g:

chainsaw hunt D: -s sigma/ -m mappings/sigma-event-logs-all.yml -r rules/ --skip-errors

That should allow Chainsaw to continue past that error, which I think is what you want?

[dsplice]

Darn, I must have missed that in the last testing. Ignore me. It works fine now 😊

[FranticTyping]

Glad to hear it's all working well, thanks for helping us troubleshoot!