tabledevil
8fe7a4312d
WithSecure Labs' chainsaw — fast Sigma-based EVTX hunter, complementary
to hayabusa/zircolite (different rule engine + format).
- ubuntu:24.04 base, multi-stage (fetcher + runtime).
- Pulls latest chainsaw release tarball from GitHub at build time
(greps the API JSON because release notes contain control chars
that break jq).
- Clones SigmaHQ rules at build (chainsaw v2 dropped bundled rules).
- start.sh: chainsaw hunt /data --csv --output (CSV is mutually
exclusive with --json/--jsonl in v2.x; pick CSV for grep-ability).
- Output: /output/chainsaw_<ts>/{csv/, hunt.txt}.
- test_smoke.sh: fetch Yamato sample-evtx, scan, count detections.
- fetch-test-data.sh + .gitignore.
Validated end-to-end on amd64 Linux: 6/6 PASS, 3970 detections on
DeepBlueCLI subset.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9 lines
273 B
Bash
Executable File
9 lines
273 B
Bash
Executable File
#!/bin/bash
|
|
# Pull the upstream EVTX sample bundle.
|
|
set -e
|
|
cd "$(dirname "$0")"
|
|
mkdir -p test-data
|
|
[ -d test-data/sample-evtx ] || \
|
|
git clone --depth=1 https://github.com/Yamato-Security/hayabusa-sample-evtx.git test-data/sample-evtx
|
|
echo "ready: test-data/sample-evtx"
|