Champ Clark
Champ Clark
What type of data are you trying to inject? I'll have to ponder this more to determine if it's worth the time. That is, is the dev time better here...
This does need to be documented. This is pretty new. I'm going to try and work on documentation on the flight home. Leaving this open to remind me!
I have a long flight coming up. I'll make sure I read more about Kafka as I've never used it before.
Hello, Thank you for the bug report. It appears (?) that you are attempting to use flowbits and read in a file. "[*] EOF reached. Waiting for threads to catch...
I can certainly see it being an issue via FIFO. If the log is sent to Sagan within a very short amount of time, a race condition occurs. We might...
We might look into this in 1.1.2, but could also be further out. Need to investigate what it would take to make flowbits "atomic"ish.
Just a quick update. We have Sagan time resolution at the 1000th of a second. We still need to do some more work to get this into xbits (formerly known...
Let me look closer... I need to compare between the two rules. I don't really see what you did. I'll get back with you in the AM. From: "msnriggs" To:...
We ended up going with this after some experimentation..... (note the "OriginalFileName":"Cmd.Exe") alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine:...
btw: When I switch back to 1.0.5, everything works as normal.