Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Signatures

Signatures are Sigma rule collections used by the sigcheck search command.

Directory Structure

Signatures are loaded from subdirectories of CRYSTALLINE_EXTRA_DIR/signatures. The default extra directory is /var/lib/crystalline/extra, so the default signatures directory is:

/var/lib/crystalline/extra/signatures

Each direct child directory is loaded as one signature set. For example:

extra/
  signatures/
    windows/
      process_creation.yml
      powershell.yml
    web/
      suspicious_access.yml

This creates two signature sets: windows and web.

Every YAML file found recursively in these directories will be loaded as a signature using Sigma rule syntax.

Loading

The server periodically scans the signatures directory. New set directories are added, removed directories are unloaded, and changed files inside an existing set cause that set to be reparsed.

Parse failures are logged and the failing set is not made available to sigcheck.

Signature Sets

A signature set name is the directory name under the signatures directory. The sigcheck command can evaluate every loaded set or only named sets:

| sigcheck

| sigcheck sets("windows", "web")