question

DaveMcCormack-3832 avatar image
0 Votes"
DaveMcCormack-3832 asked dstaulcu commented

Sysmon 13.20 breaks filtering that worked in 13.10 causing huge surge in event volume

In Sysmon 13.10, the attached sysmon config filters ImageLoaded events so that KnownDlls are not reported. With Sysmon 13.20, all these events are appearing in the trace.100032-temp.xml


windows-sysinternals-sysmon
temp.xml (4.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

dstaulcu avatar image
0 Votes"
dstaulcu answered dstaulcu commented

Looks like you may have encountered a new limit in the length of a configuration value as part of your ImageLoaded is any conditions.

When I merged your config and then inspected output of sysmon -c the values were truncated to 'C:\Win'

I did some boundary testing and it looks like truncation starts with the 128th character.

It's possible this is a display limit and not an actual configuration limit. If not limited to display this would explain the increase in logging due to your exclude based configuration strategy.

Update:

You could likely work within limits by employing the "contains any" filter condition instead of "is any". If you still want to differentiate between 32 bit and 64 bit you could add an additional ImageLoaded "begin with" condition for each rule group. With this situation in mind it would be cool if there was an "images" filter condition.



· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. My preference for "is any" over "contains any" is based on performance considerations, but perhaps that is a micro-optimisation I can live without.

I imagine I won't be the only person to be affected by this. It's quite a nasty defect because it's not immediately obvious that anything is wrong. It was only when I noticed a huge increase in my event volumes that I got suspicious.

0 Votes 0 ·
dstaulcu avatar image dstaulcu DaveMcCormack-3832 ·

Good idea!
I imagine you are indeed not the only one affected.
That said, looks like the longest length of a value in popular and public Swift and Olaf configs is 121 chars.

0 Votes 0 ·

I reworked the ImageLoad filter as shown in the attached. This gets around the apparent defect in 13.20.

In case anyone is wondering, my actual Sysmon configuration file is a lot more complicated than shown here. I've stripped out stuff relating to other event types and also stuff relating to filtering out our own products.100334-temp.xml


1 Vote 1 ·
temp.xml (7.7 KiB)
Show more comments