Problem to identify matched signature due to Sigma rules with similar information

Question

Problem to identify matched signature due to Sigma rules with similar information

jvmendezp opened this issue 2 years ago · comments

jvmendezp commented 2 years ago

Hello team, I found some interesting. Look at these sigma rules:

Both have the same value for the following fields: title, description, tags, date, modified, level, etc.

Is there any way to know exactly what was the matched sigma signature from the chainsaw output?

Thanks in advance.

Regards.

Javier

fscc-alexkornitzer · Answer 1 · Thu Jun 30 2022 22:13:04 GMT+0800 (China Standard Time)

This should be solved in v2 when we add the ability to display the id field, but currently you are correct in that there is no way to deduce this. IMO Sigma rules should not be reusing titles, if the rule is the same, then the logic should be combined this is just bad rule writing if you ask me. I am going to try and get you extra sigma rules request work done this weekend.

jvmendezp · Answer 2 · Thu Jun 30 2022 22:14:57 GMT+0800 (China Standard Time)

Thanks a lot!

Alex Kornitzer · Answer 3 · Tue Jul 12 2022 18:45:45 GMT+0800 (China Standard Time)

This is in the beta.