sagan-rules issues

Remove unnecessary space in normalization.rulebase

Reported by lognormalizer app: ``` # lognormalizer -r /usr/local/etc/sagan-rules/normalization.rulebase liblognorm error: rulebase file /usr/local/etc/sagan-rules/normalization.rulebase[155]: invalid record type detected: 'rule ' ```

litew

SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe

3

https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 Seems to detect 1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft?...

msnriggs

sid:5002819 generates lots of false positives for .enc file extension

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding\"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou;...

srawls1740