search

ananyalahiri2003 / sigma_attack

Repo to work with Sigma Rules
Apache License 2.0
2 stars 1 forks source link

what is the purpose for parse_files #3

Open priamai opened 1 month ago

priamai commented 1 month ago

I am not sure about the parse_files function utility:

I am guessing what this function should do: a) validate the file against the official json schema b) accumulate some basic statistics like tag distribution c) filter out some potential low quality files base don author's reputation

Cheers.

ananyalahiri2003 commented 1 month ago

Just made the changes for the below - a) validate the file against the official json schema b) accumulate some basic statistics like tag distribution

For c), what is the way to assess author reputation pls? "author" and "falsepositives"? I'll make the change based on your input. Thanks

priamai commented 1 month ago

Author reputation, I would say for now if the author is Nextron Systems this should be high quality. Any other authors we shall use some human review to assess.

Sent from Outlook for Androidhttps://aka.ms/AAb9ysg

From: ananyalahiri2003 @.> Sent: Sunday, July 28, 2024 11:59:30 am To: ananyalahiri2003/sigma_attack @.> Cc: Paolo Di Prodi @.>; Author @.> Subject: Re: [ananyalahiri2003/sigma_attack] what is the purpose for parse_files (Issue #3)

Just made the changes for the below - a) validate the file against the official json schema b) accumulate some basic statistics like tag distribution

For c), what is the way to assess author reputation pls? "author" and "falsepositives"? I'll make the change based on your input. Thanks

— Reply to this email directly, view it on GitHubhttps://github.com/ananyalahiri2003/sigma_attack/issues/3#issuecomment-2254457224, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANVNMBSFC2RKMNTRST536CTZOS6H5AVCNFSM6AAAAABLHBKOS2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGQ2TOMRSGQ. You are receiving this because you authored the thread.Message ID: @.***>

priamai commented 1 month ago

The inclusion of false positives is usually a good sign as no signature is perfect. It just indicates some level of maturity.

priamai commented 1 month ago

I would say for now my heuristics is to just select the ones from Nextron Systems and the one that has at least a false positive description @ananyalahiri2003