Zircolite v2.9.7 On the fly rules conversion

wagga40 / Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

671 stars 91 forks source link

Zircolite v2.9.7 On the fly rules conversion #48

Closed frack113 closed 1 year ago

frack113 commented 1 year ago

From documentation:

Since Zircolite 2.2.0, if you have sigmatools >= 0.21, Zircolite is able to convert the rules on-the-fly if you provide a SIGMA config file and the sigmac path. It is very convenient for testing but you should avoid it since this is slower :

But they are no option --sigma or --sigmac valid

wagga40 commented 1 year ago

Since it was depending on a now deprecated sigmac, it was removed. But the docs have not been updated. I will remove this part.

wagga40 commented 1 year ago

Solved in this commit