countercept / chainsaw

Rapidly Search and Hunt through Windows Event Logs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Rules folders not loading correctly

jimbowaba opened this issue · comments

No matter what folder you specify it seems to load the default rules folder

Hi @jimbowaba

I'm not able to replicate this on my side. There is "default" rules folder, the rules folder must always be specified via the "--rules" flag.

-> % ./chainsaw hunt ../../evtx_attack_samples/ --rules ../../sigma_rules --mapping ../../mapping_files/sigma-mapping.yml

[+] Found 268 EVTX files
[+] Converting detection rules...
[+] Loaded 979 detection rules (296 were not loaded)
[+] Printing results to screen
[+] Hunting: [==>-------------------------------------] 19/268 ⠋

As you can see with the above, 979 rules were loaded when pointing at the "../../sigma_rules" folder, but when I specify a different directory:

-> % ./chainsaw hunt ../../evtx_attack_samples/ --rules /tmp/sigma_rules/rules/windows/powershell --mapping ../../mapping_files/sigma-mapping.yml

[+] Found 268 EVTX files
[+] Converting detection rules...
[+] Loaded 54 detection rules (13 were not loaded)
[+] Printing results to screen
[+] Hunting: [============================>-----------] 188/268 ⠇

Only 54 detection rules are loaded, which to me would mean that chainsaw is using the specified path.

Could you please provide steps to reproduce your issue? Thanks.

Hi @fscc-jamesd thanks for your speedy reply (and awesome tool). A few of us spent a while looking into this and realised that it was a misunderstanding on our part. We didn't realise that the rule output would show the built in logic in every result, we assumed that specifying a ruleset would only show results specific to that ruleset. As we were choosing small ruleset that weren't hitting it was only returning the built in logic, thus confusing us. It would be useful if there was an option to turn this off to only output the specified rules.

Thanks for your help

Hey @jimbowaba

Ah, I understand.

There's the option --no-builtin which should achieve what you want. This will disable all of the builtin detection logic and only use the rules specified by the --rules file. 👍

ezoic increase your site revenue