WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

EventID in Sigma Rules not matching (String vs Numeric)

stdio-h opened this issue · comments

Most sigma rules use numeric EventID - i.e.:

        EventID: 7045
            - 'srservice'
            - 'ipvpn'
            - 'hkmsvc'
    condition: selection

modules.rs [line 215] however converts the EventID to a String

doc["EventID"] = json!(event_id.to_string());

and the condition (EventID: 7045) is therefore not met. After removing the conversion to String (or rewriting the Sigma Rule to EventID: "7045") the Event is successfully matched:

doc["EventID"] = json!(event_id);

Thanks for pointing this out. I was trying to write a Proxyshell rule and after reading this post and casting the event id as a string the detection worked.

Good spot, thanks for raising this. I've merged in a fix for this. I'll push out a new build this weekend.

I've had to revert the change that closed this issue due to the issue identified in #30.

delete if this doesn't have a place here but
As a temporary solution, the following can transform the sigma rule data set:

for f in $(find sigma_rules/ -name '*.yml'); do sed -i 's/\(EventID:\s*\)\([[:digit:]]\{4\}\)/\1"\2"/' $f; echo transforming $f; done

Thanks for the doing the leg work on that Michael. I just put this together for the nested event ID statements using the loop you put together

's/\(- \)\([[:digit:]]\{1,5\}\)/\1"\2"/'