Gene v1.6.4

Implements filter rules. A filter rule is used to filter in some wanted events without assigning any criticality to them. It can be used to show events bringing contextual information.

Gene v1.6.3

Fixes:

• Upgraded golang-evtx dependency and should now properly handle dirty EVTX files

Gene v1.6.1

• Bug fix in condition parsing
• Better test cases for conditions (more than 2000 random conditions generated)

Gene v1.6.0

• Indirect Match Support (we can now compare two fields of the same event)
• Containers are now case insensitive
• New -test command line switch to create easy Gene unit testing

Documentation: https://rawsec.lu/doc/gene/1.6/

Gene v1.5.0

• Support for Mitre ATT&CK framework
• Small changes in the reducer feature

Gene v1.4.3

Support for go1.12 modules

Gene v1.4.2

Updated to make compliant with golang-utils submatch.go changes

Gene Version 1.4.1

• Bug fix in condition matching
• Reducer metrics changed
• New operators implemented for Field Match >= and <=

Gene Version 1.4

• Introduction of regular expression templates to save time always when needing same regexp in different rules
• FieldMatch now support new comparison operators
  • < > : for integer fields
  • &= : in order to do flag verifications on hexadecimal values
• New command line switches / features
  • -dump : dumps the rule in the terminal after applying the templates (useful for debugging)
  • -reduce : extract some statistics from already processed events (used to post-process Gene results)
• Bug fix in condition evaluation (in a very specific case)
• Test cases added and validaded for all the new features and bug fix

Gene Version 1.3

Changelog

• Implementation of container match: extraction of parts of Windows events to check presence in container. This feature was motivated by the lack of efficient mean to match specific part of some events (IPs, Hashes, domains ...) against black/whitelists
• Some code refactoring