Incorrect Sigma detections since v1.1.0

[einarssonm]

Potential bug resulting in incorrect Sigma detections since Chainsaw v1.1.0.

When parsing a System.evtx file with Chainsaw v1.1.0 (from "chainsaw_x86_64-pc-windows-msvc.zip"), several Sigma rules are incorrectly triggered by every 7045 event. See example below:

A similar test using Chainsaw v1.0.2 shows no false positives, see below:

Finally a test with Chainsaw v1.0.2 using the Sigma rule set bundled with v1.1.0. No false positives, see below:

[fscc-jamesd]

@einarssonm - Thanks for raising this, good spot! I think I know why this is happening, In v1.1.0 I fixed an issue where event IDs were being converted to string values before comparison. Now that this issue is fixed I think the comparison is being done correctly but this has potentially surfaced an issue with how chainsaw converts Sigma rules.

Looking at the raw sigma logic for the sigma rules in your screenshot we can see they contain the logic block below which I think is causing these false-positives:

---
logsource:
  ¦ product: windows
  ¦ service: system
detection:
  ¦ selection:
  ¦ ¦ ¦ EventID: 7045
---

I've reverted the Event ID conversion changes and released v1.1.1 for the time being until I can write a proper fix. I'll close this issue for now, but please feel free to let me know if v1.1.1 hasn't fixed this issue in the interim.