Problem to identify matched signature due to Sigma rules with similar information
jvmendezp opened this issue · comments
Hello team, I found some interesting. Look at these sigma rules:
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
Both have the same value for the following fields: title, description, tags, date, modified, level, etc.
Is there any way to know exactly what was the matched sigma signature from the chainsaw output?
Thanks in advance.
Regards.
Javier
This should be solved in v2 when we add the ability to display the id
field, but currently you are correct in that there is no way to deduce this. IMO Sigma rules should not be reusing titles, if the rule is the same, then the logic should be combined this is just bad rule writing if you ask me. I am going to try and get you extra sigma rules request work done this weekend.
Thanks a lot!
This is in the beta.