Someone should map publicly available EVTX samples to Sigma rules. This would enable us to automatically test the correctness of generated queries.

Known security-related EVTX repositories:

• https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
• https://github.com/Cyb3rWard0g/mordor

Feel free to extend the list.

Mapping should be:

Sigma rule -> Repository/EVTX ( -> expected matched

Instructions show npm install via apt-get: https://scirius.readthedocs.io/en/latest/installation-ce.html
surius-docker use debian:latest as its base: https://github.com/StamusNetworks/suricata-docker/blob/master/Dockerfile

npm fails using the instructions from "read the docs." It would be great to have the install instructions updated as the install on debian:jessie appears to have other inst

Thinking of using one of the Project Honeypot PHP classes to detect undesirables. Is there an easy way for me to generate my own blocks and then use the cidram reporting features?

As noted in the FAQ, the exception messages aren't very helpful on Mac.

Every exception thrown from the C++ isn't correctly interpreted by pybind11, and becomes a RuntimeError: caught an unknown exception. (When all we ever actually throw are ValueErrors with descriptive messages.) At the moment this is worked around

These functions can be put directly to containers-sig-* packages.

• !? as an operator version of lookup
• // for Map difference

For example, there's this useful operator:

infixl 9 !?
(!?) :: Key k => Map k v -> k -> Maybe v
(!?) m k = lookup k m

And probably there exist other useful functions with default implementations. We need to collect such functions an

The towered extensions lead to (lots of) duplicated code due to a codegen bug in Nim upstream nim-lang/Nim#13982.

This is quite bad for resource-restricted devices.