List index Out of range error when using feature with sysmon4linux

[hoanga2dtk68]

I get list index out of range error when using feature with sysmon4linux

Is there any way to fix this?

[wagga40]

Hello,

The easiest way to find a fix would be for you to share your log file to check exactly what is happening.

If you cannot share your log file (something I can understand), you can use —debug and check the zircolite.log file.

But from what I can see in your screenshot, I think your /var/log/syslog does not contains only sysmon for linux events which can be the source of the error.

[hoanga2dtk68]

yes, link drive google: https://drive.google.com/file/d/1UKIVmpxrE2roCu51_9inYkqzD0a1ujGV/view?usp=sharing Thank you.

[hoanga2dtk68]

There is also a problem when logs overlap with other log sources sysmon4linux

[hoanga2dtk68]

do you have a way to separate and use your tool?

[wagga40]

Thanks I will check your log to find the problem and I will try to answer your questions.

[hoanga2dtk68]

Thanks, looking forward to hearing from you soon.

[wagga40]

From what I have seen, the problem comes, as expected, from the /var/log/syslog file that contains different log types (System events and Sysmon for Linux events). The easiest way to handle it is outside Zircolite : you only keep the sysmon related lines in /var/log/syslog and copy them to another file:

grep "kali sysmon:" /var/log/syslog > Sysmon4Linux.log 
python3 zircolite.py --events Sysmon4Linux.log --rules rules/rules_linux.json

Please note that you can also have the ugly default XML logs converted to JSON (1 event per line) for free if you add the --keeptmp option. The resulting JSON files will be available in a directory named like this : tmp-XXXXXXXX.

With the default linux ruleset (not the greatest...) it should give you something like this :

[hoanga2dtk68]

i see some problems when the rule doesn't catch the actual webshell command. the commands i use is ls -lah