# countercept / chainsaw

Rapidly Search and Hunt through Windows Event Logs

Geek Repo

Github PK Tool

# Add --sync command for updating Sigma rules from SigmaHQ repo

AndrewRathbun opened this issue · comments

Hello,

Thanks for all your work on this fantastic tool!

Sigma rules in the SigmaHQ repo seem to change by the hour. It's a very fast moving repo, as I've come to find out. Manually updating these Sigma rules is simply something most people won't do and over time they'll be missing out on new rules for the latest threats. A fair amount of examiners likely won't know any better that these rules should be maintained and updated on a fairly regular basis.

The ask here is to consider adding a --sync command (or similar) that'll mirror the contents of https://github.com/SigmaHQ/sigma/tree/master/rules into the .\Chainsaw\sigma_rules directory, folders and all. If not all folders, then maybe at least the Windows and APT folders, to start?

Thanks for any consideration!

Hello,
Yes this is a great idea! Please consider implementing this! :)

Ignore the above, mistakes were made.

Regarding this issue, I'm reluctant to add sync functionality directly into chainsaw itself. I think the correct solution here is to either clone this repo and then you can periodcally update the sigma-rule submodule as needed. Alternatively just clone the sigma rule repo seperately and point chainsaw at that.

Adding sync functionality would bloat out chainsaw in my opinion.