Gene Versions Save

Implements filter rules. A filter rule is used to filter in some wanted events without assigning any criticality to them. It can be used to show events bringing contextual information.

Fixes:

• Upgraded golang-evtx dependency and should now properly handle dirty EVTX files

• Bug fix in condition parsing
• Better test cases for conditions (more than 2000 random conditions generated)

• Indirect Match Support (we can now compare two fields of the same event)
• Containers are now case insensitive
• New -test command line switch to create easy Gene unit testing

Documentation: https://rawsec.lu/doc/gene/1.6/

• Support for Mitre ATT&CK framework
• Small changes in the reducer feature

Support for go1.12 modules

• Bug fix in condition matching
• Reducer metrics changed
• New operators implemented for Field Match >= and <=

• Introduction of regular expression templates to save time always when needing same regexp in different rules
• FieldMatch now support new comparison operators
  • < > : for integer fields
  • &= : in order to do flag verifications on hexadecimal values
• New command line switches / features
  • -dump : dumps the rule in the terminal after applying the templates (useful for debugging)
  • -reduce : extract some statistics from already processed events (used to post-process Gene results)
• Bug fix in condition evaluation (in a very specific case)
• Test cases added and validaded for all the new features and bug fix

Changelog

• Implementation of container match: extraction of parts of Windows events to check presence in container. This feature was motivated by the lack of efficient mean to match specific part of some events (IPs, Hashes, domains ...) against black/whitelists
• Some code refactoring