Whitelisting issue

[s0lari]

Seems that when we have some whitelisted entries (with wildcards), they aren't being removed from the results - we still see results for those. Something that needs to be done differently or changed to have this running?

Thanks sir!

[s0lari]

Just to clarify further, if we add a whitelist item without any wildcards, and populate all fields, then the whitelist seems to work correctly, however, having to whitelist some items for all users by each individual user would be ...laborious ;)

Noticed that the transforms.conf file does set the match as 'wildcard'- so I'm unsure as to why this wouldn't work with placing a wildcard into a field - very odd.

Just wondering if this is a bug?

[olafhartong]

Thanks for reaching out, could you tell me which event types are the problem? I did find a bug in the FileCreate events, this has been addressed in the version here on GitHub

[billmurrin]

One thing I found last week. It appears that WILDCARD(event_type) is missing from the registry_whitelist lookup definition. This is causing * whitelisting for Registry whitelist entries to fail.

I also observed inconsistent results when manually running the process_create_whitelist through the old method (inputlookup) and the new lookup method. The new method consistently returned more results than the old method, but I could not determine exactly why this was happening - the lookup definition looked good on this one.