Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up caldera's old collector logic #2331

Open
RomuDeuxfois opened this issue Jan 30, 2025 · 2 comments
Open

Clean up caldera's old collector logic #2331

RomuDeuxfois opened this issue Jan 30, 2025 · 2 comments
Labels
feature use for describing a new feature to develop technical improvement Technical refactor or improvement is needed

Comments

@RomuDeuxfois
Copy link
Member

RomuDeuxfois commented Jan 30, 2025
edited
Loading

Description

For the OpenBAS implant we create just one signature: EXPECTATION_SIGNATURE_TYPE_PARENT_PROCESS_NAME.
And for Caldera implant we create multiple signatures depending on the payload type (command line, drop file, ect).

This leads us to maintain multiple detection strategies on the collectors side.
By aligning our methods, we can drastically simplify the code of our collectors and help community to develop new collector.

Should be done after this one -> #2339
@RomuDeuxfois RomuDeuxfois added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Jan 30, 2025
@EllynBsc
Copy link
Member

EllynBsc commented Jan 30, 2025
edited
Loading

Hi @RomuDeuxfois 👋

I believe we can split this issue in 2 issues

  • the first part is more of a technical improvement:

"For the OpenBAS implant we create just one signature: EXPECTATION_SIGNATURE_TYPE_PARENT_PROCESS_NAME.
And for Caldera implant we create multiple signatures depending on the payload type (command line, drop file, ect).

This leads us to maintain two ways of doing things on the Java side and to have multiple detection strategies on the collectors side.
By aligning our methods, we can also drastically simplify the code of our collectors and help community to develop new collector."

  • the second part is a bug:

"Also, I guess we currently have detection issues with a caldera implant and Crowdstrike collector". Can you be more precise ?

WDYT ?

@EllynBsc EllynBsc added technical improvement Technical refactor or improvement is needed needs more info use to identify issue needing additional info to be triaged or solved and removed needs triage use to identify issue needing triage from Filigran Product team labels Jan 30, 2025
@RomuDeuxfois
Copy link
Member Author

RomuDeuxfois commented Jan 31, 2025
edited
Loading

Ok for me @EllynBsc.

For the bug, I create this new issue -> #2339

@RomuDeuxfois RomuDeuxfois removed the bug use for describing something not working as expected label Jan 31, 2025
@EllynBsc EllynBsc added feature use for describing a new feature to develop and removed needs more info use to identify issue needing additional info to be triaged or solved labels Jan 31, 2025
@EllynBsc EllynBsc modified the milestone: Bugs backlog Jan 31, 2025
@jborozco jborozco changed the title Align Caldera Implant signature strategy on OpenBAS implant Clean up caldera's old collector logic Jan 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop technical improvement Technical refactor or improvement is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EllynBsc @RomuDeuxfois