Skip to content

decay: 01-recon — codebase + lab recon (read-only)#51

Open
jayelbotvibe-web wants to merge 2 commits into
mainfrom
decay/01-recon
Open

decay: 01-recon — codebase + lab recon (read-only)#51
jayelbotvibe-web wants to merge 2 commits into
mainfrom
decay/01-recon

Conversation

@jayelbotvibe-web

Copy link
Copy Markdown
Owner

01-recon-codebase

Read-only audit of the purple-loop codebase for reuse potential.

Key findings

  • Wazuh collector: internal/collector/wazuh.go — uses docker exec grep against archives.json, NOT REST API. Hardcoded field paths.
  • Sigma evaluator: internal/evaluator/ — parses detection: blocks (skips logsource:). Normalizer hardcodes field paths for Sysmon/auditd/full_log.
  • Rule loader: Hardcoded techniqueRuleMap in cmd/purpleloop/main.go:28 — not a directory scanner. One-rule-at-a-time via RuleParser.Parse().
  • All three: under internal/ — not importable by another module. All need refactoring for reuse.
  • Lab: logall_json is OFF. Victim uses Wazuh agent inside container + auditd. Windows/Sysmon rule at detections/windows/win_proc_create.yml uses Image|endswith.

No code modified — read-only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant