-
|
Is there any format or template for the linux profiles(other than service mentioned profiles) ? Or any references of the site to look up.... |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 6 replies
-
|
Can you elaborate on what you mean by linux profiles? |
Beta Was this translation helpful? Give feedback.
-
|
I meant the sigma rules like "rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml". Other sigma rules like "rules/linux/auditd/lnx_auditd_audio_capture.yml" have services mentioned in the logsource, I can find the log formats for auditd, auth,... services . But i didnt get any formats for process_creation, network_connections, file_events(category in logsources),... Or is there any other way to check the log formats of these categories...? |
Beta Was this translation helpful? Give feedback.
-
|
Ah you're talking about the logsource field. Basically you can check the taxonomy file which contains all the currently supported logsources https://github.com/SigmaHQ/sigma-specification/blob/main/Taxonomy_specification.md The difference between category, service and product can be found here https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#log-source Basically the the builtin folder contains rules that are from logs that are generated by builtin services. The other such as "process_creation" / "file_event" / "network_connection" are generic mappings based on Sysmon for linux or any similar EDR like tool that can generate those events. Hope this clear things up for you. |
Beta Was this translation helpful? Give feedback.
-
|
oh! thanks for the clearance... thill will help me. But why sysmon isn't mentioned in logsource |
Beta Was this translation helpful? Give feedback.
-
|
Sysmon doesn't need to be mentioned as its a special case. Unless you're writing rules specifically for it then you select the "service: sysmon". But in general the category includes a much wider range of services. You could map "process_creation" to Sysmon logs, Linux EDR logs...etc. |
Beta Was this translation helpful? Give feedback.
-
|
yeah.. thanks man 👍 |
Beta Was this translation helpful? Give feedback.
-
|
I got another thing to discuss... "rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" this rules contains both 'cwd' and other fields under selection identifier, which are from separate log line I think. shouldn't this be written like correlated events with separate identifiers. |
Beta Was this translation helpful? Give feedback.
-
|
Yes. In its current form it wouldn't work except if someone actually correlated the log. It needs a fix and a disclaimer (that it'll get). |
Beta Was this translation helpful? Give feedback.
Ah you're talking about the logsource field. Basically you can check the taxonomy file which contains all the currently supported logsources https://github.com/SigmaHQ/sigma-specification/blob/main/Taxonomy_specification.md
The difference between category, service and product can be found here https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#log-source
Basically the the builtin folder contains rules that are from logs that are generated by builtin services. The other such as "process_creation" / "file_event" / "network_connection" are generic mappings based on Sysmon for linux or any similar EDR like tool that can generate those events.
Hope this clear thing…