search

z0ne323 / WinUnderIR

0 stars 1 forks source link

Update WinEventParser #5 #26

Closed z0ne323 closed 1 year ago

nigleweber commented 1 year ago

Looking good. @v3r1t4s you did a great job adding so many Event IDs and rules to the project since last week! 🏅

A couple of quick improvements we can make:

  1. For unordered rules we can make make the ID and IDs field the same. We'll need to add code for detection + handling of ID lists elsewhere in the code though. This gives us the option of not needing to specify an explicit "first" event. <- We'll discuss the implications tomorrow aka New Rule Type or explanation of the existing unordered rules in comments
  2. The Window field in the rules does not specify what time unit it targets. Presumably this should be milliseconds since that's what timestamps are in.
    • Add references to what time unit the Window uses
    • Update rules as appropriate so that they have the correct value eg. 60 second should have a value of 60000

Note: Rename existing unordered to match_first_unordered. match_first_unordered must match event X first then all of set Y.

z0ne323 commented 1 year ago

Looking good. @v3r1t4s you did a great job adding so many Event IDs and rules to the project since last week! 🏅

A couple of quick improvements we can make:

  1. For unordered rules we can make make the ID and IDs field the same. We'll need to add code for detection + handling of ID lists elsewhere in the code though. This gives us the option of not needing to specify an explicit "first" event. <- We'll discuss the implications tomorrow aka New Rule Type or explanation of the existing unordered rules in comments
  2. The Window field in the rules does not specify what time unit it targets. Presumably this should be milliseconds since that's what timestamps are in.
  • Add references to what time unit the Window uses
  • Update rules as appropriate so that they have the correct value eg. 60 second should have a value of 60000

On it as I speak!