Replies: 3 comments 6 replies
-
HI,
So If I don't have laurel (will be the case) I take only the "auditd_old" rule.
I agree since I spent my time completing the rules . |
Beta Was this translation helpful? Give feedback.
-
Currently |
Beta Was this translation helpful? Give feedback.
-
Closing this as outdated. |
Beta Was this translation helpful? Give feedback.
-
Since Laurel now supports the concatenation of all parameters to a full command line, I'd like to make all new(!) Linux rules that trigger on command line values use the
CommandLine
field as if it existed.This will get more attention and support as soon as Sysmon for Linux is out.
Laurel change
https://twitter.com/cyb3rops/status/1442030203320995846
Rules with ugly "a0", "a1" values used in native auditd logs
https://github.com/SigmaHQ/sigma/search?q=a0
Writing rules for the original auditd is just a pain in the neck.
We'd have to add these requirements in the description as we do it now in some cases in which special Sysmon EventIDs or PowerShell ScriptBlock logging has to be enabled to make that rule work.
Beta Was this translation helpful? Give feedback.
All reactions