SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Problems logging rules

Open rblader opened this issue 3 years ago • 2 comments

Borrowing from examples posted in https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/main.xml, I've found rule names such as: <Rule name="TechniqueID=T1070.006,TechniqueName=Indicator Removal on Host: Timestomp"... > <Image condition="end with">touch</Image> </Rule>

This gets truncated in syslog at to: <Data Name="RuleName">TechniqueID=T1070.006,TechniqueName=Indi</Data>

To shorten the message I tried: <Rule name="T1070.006, Timestomp" groupRelation="or">

This gets ignored entirely. When included in the ProcessCreate section, processes associated with 'touch' are not logged at all.

Trial and error show that including or omitting "TechniqueID=" and "TechniqueName=" affect how much the field is truncated, and omitting both field names appears to prevent logging entirely.

Is there any specific guidance on how Rule Names are parsed, limitations on length of the string, and formatting?

rblader avatar Jun 30 '22 19:06 rblader

Thanks for reporting this - we will investigate.

MarioHewardt avatar Jul 01 '22 23:07 MarioHewardt

Thank you! If I can help with testing updates, please feel free to let me know.

-Rob Blader

On Fri, Jul 1, 2022 at 7:12 PM Mario Hewardt @.***> wrote:

Thanks for reporting this - we will investigate.

— Reply to this email directly, view it on GitHub https://github.com/Sysinternals/SysmonForLinux/issues/75#issuecomment-1172777741, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC7YVWK2KBR32QIE5KHPRITVR53NZANCNFSM52KPJ2HA . You are receiving this because you authored the thread.Message ID: @.***>

rblader avatar Jul 03 '22 23:07 rblader

There was an issue with the rule names which I just fixed. If you want to give it a try and let me know that would be great. For now you will have to build since we haven't published a new package yet.

MarioHewardt avatar Mar 15 '23 23:03 MarioHewardt

Closing since you were able to verify it now works.

MarioHewardt avatar Mar 20 '23 19:03 MarioHewardt

Got it, thanks

Rob Blader

On Mon, Mar 20, 2023, 3:38 PM Mario Hewardt @.***> wrote:

Closing since you were able to verify it now works.

— Reply to this email directly, view it on GitHub https://github.com/Sysinternals/SysmonForLinux/issues/75#issuecomment-1476828364, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC7YVWKF4VHWTWBBQWJG32TW5CW4RANCNFSM52KPJ2HA . You are receiving this because you authored the thread.Message ID: @.***>

rblader avatar Mar 20 '23 20:03 rblader