Update docs and rules

docs/_sidebar.md

@@ -8,7 +8,7 @@
 
 * Advanced use
     * [Working with large datasets](Advanced.md#working-with-large-datasets)
-    * [Keep data used by Zircolite](#keep-data-used-by-zircolite)
+    * [Keep data used by Zircolite](Advanced.md#keep-data-used-by-zircolite)
     * [Filtering](Advanced.md#filtering)
     * [Forwarding detected events](Advanced.md#forwarding-detected-events) 
     * [Templating and Formatting](Advanced.md#templating-and-formatting)

rules/rules_linux.json

@@ -2373,6 +2373,24 @@
         ],
         "filename": "proc_creation_lnx_susp_java_children.yml"
     },
+    {
+        "title": "Potential Linux Process Code Injection Via DD Utility",
+        "id": "4cad6c64-d6df-42d6-8dae-eb78defdc415",
+        "description": "Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.",
+        "author": "Joseph Kamau",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1055.009"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Image LIKE '%/dd' ESCAPE '\\' AND CommandLine LIKE '%of=%' ESCAPE '\\' AND CommandLine LIKE '%/proc/%' ESCAPE '\\' AND CommandLine LIKE '%/mem%' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_lnx_dd_process_injection.yml"
+    },
     {
         "title": "Decode Base64 Encoded Text",
         "id": "e2072cab-8c9a-459b-b63c-40ae79e27031",

tools/zircolite_server/requirements.txt

@@ -1,3 +1,2 @@
 flask>=1.1.2
 jinja2>=2.11.3
-werkzeug>=3.0.1 # not directly required, pinned by Snyk to avoid a vulnerability