tabledevil
7188d7b6bc
- Pin both stages to alpine:3.23 (was floating 'alpine'). - Multi-stage: separate runtime image without rust+cargo+sdk, just python3. - venv for Python deps (PEP 668 on modern Alpine blocks system pip). - start.sh: -c <fieldMappings.yaml> (was .json — upstream renamed), drop -t which now means --template (Jinja2) not tmpdir. - test_smoke.sh: fetch Yamato sample-evtx on demand, scan, verify JSON + log produced, count Sigma rule hits. - fetch-test-data.sh + .gitignore for test-data/. Validated end-to-end on amd64 Linux: 5/5 PASS, 39 hits, Zircolite v3.6.3 with 2160 rules. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
10 lines
384 B
Bash
Executable File
10 lines
384 B
Bash
Executable File
#!/bin/bash
|
|
# Pull the upstream EVTX sample bundle (Yamato Security's curated bundle of
|
|
# DeepBlueCLI, EVTX-ATTACK-SAMPLES, EVTX-to-MITRE-Attack, plus their own).
|
|
set -e
|
|
cd "$(dirname "$0")"
|
|
mkdir -p test-data
|
|
[ -d test-data/sample-evtx ] || \
|
|
git clone --depth=1 https://github.com/Yamato-Security/hayabusa-sample-evtx.git test-data/sample-evtx
|
|
echo "ready: test-data/sample-evtx"
|