Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules folders not loading correctly #21

Closed
jimbowaba opened this issue Sep 24, 2021 · 3 comments
Closed

Rules folders not loading correctly #21

jimbowaba opened this issue Sep 24, 2021 · 3 comments
Assignees
@fscc-jamesd
Labels
question Further information is requested

Comments

@jimbowaba
Copy link

No matter what folder you specify it seems to load the default rules folder
@fscc-jamesd fscc-jamesd self-assigned this Sep 26, 2021
@fscc-jamesd
Copy link
Contributor

Hi @jimbowaba

I'm not able to replicate this on my side. There is "default" rules folder, the rules folder must always be specified via the "--rules" flag.

-> % ./chainsaw hunt ../../evtx_attack_samples/ --rules ../../sigma_rules --mapping ../../mapping_files/sigma-mapping.yml

[+] Found 268 EVTX files
[+] Converting detection rules...
[+] Loaded 979 detection rules (296 were not loaded)
[+] Printing results to screen
[+] Hunting: [==>-------------------------------------] 19/268 ⠋

As you can see with the above, 979 rules were loaded when pointing at the "../../sigma_rules" folder, but when I specify a different directory:

-> % ./chainsaw hunt ../../evtx_attack_samples/ --rules /tmp/sigma_rules/rules/windows/powershell --mapping ../../mapping_files/sigma-mapping.yml

[+] Found 268 EVTX files
[+] Converting detection rules...
[+] Loaded 54 detection rules (13 were not loaded)
[+] Printing results to screen
[+] Hunting: [============================>-----------] 188/268 ⠇

Only 54 detection rules are loaded, which to me would mean that chainsaw is using the specified path.

Could you please provide steps to reproduce your issue? Thanks.

@fscc-jamesd fscc-jamesd added invalid This doesn't seem right question Further information is requested and removed invalid This doesn't seem right labels Sep 26, 2021
@jimbowaba
Copy link
Author

Hi @fscc-jamesd thanks for your speedy reply (and awesome tool). A few of us spent a while looking into this and realised that it was a misunderstanding on our part. We didn't realise that the rule output would show the built in logic in every result, we assumed that specifying a ruleset would only show results specific to that ruleset. As we were choosing small ruleset that weren't hitting it was only returning the built in logic, thus confusing us. It would be useful if there was an option to turn this off to only output the specified rules.

Thanks for your help

@fscc-jamesd
Copy link
Contributor

Hey @jimbowaba

Ah, I understand.

There's the option --no-builtin which should achieve what you want. This will disable all of the builtin detection logic and only use the rules specified by the --rules file. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fscc-jamesd fscc-jamesd

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimbowaba @fscc-jamesd