Closed pritster5 closed 3 years ago
markuskont
commented
3 years ago Hi. There's is a reference binary code under cmd/. But it was mainly just used for experimentation while writing a research paper.
v1 and v2 folders were written as importable libraries for a internal tool.
pritster5
commented
3 years ago Thanks! If one wanted to build a standalone application that simply read log files (of various types, all resembling JSON, e.g. ECS) and ran rules against them, would you recommend building off of the code for the CLI cmd tool?
markuskont
commented
3 years ago Look into cmd/run.go. It should give a basic outline. Perhaps a bit overcomplicated for what is needed (on account of cuncurrency).
https://github.com/markuskont/go-sigma-rule-engine/blob/master/cmd/run.go#L407 https://github.com/markuskont/go-sigma-rule-engine/blob/master/cmd/run.go#L427 https://github.com/markuskont/go-sigma-rule-engine/blob/master/cmd/run.go#L436
You can also look into cmd/parse.go for ruleset parsing. It does not have runtime event eval component but will give a report on how many rules were parsed. Have not updated the code in a while (it was from my last job), so I'm not sure how much updated sigma ruleset has broken things.
Was the go-sigma-rule-engine.exe file compiled using the v2 folder or is the source for this CLI application not included in this repo?