LOKI version 0.30.0
Changes due to pull requests by @s3c
- Added --syslogtcp, allowing TCP syslog servers, was easier with our Splunk setup
- Included pywin32, setuptools==19.2, and rfc5424-logging-handler in pip command, latter to enable rfc5424 compatible syslog logging
- Fixed exception handler for #51 (not sure why this triggered for me since there is a check before this func is called in init, might be because subfolder didn't exist for some reason)
- Added date and time to default filename
- Added ability to specify log directory independant of filename, which is useful for automation that pushes logs to a fileshare (the new default filename which contains the hostname and time is used)
- Added OS path conversion for portability, needed for parsing data within SOAR platform as well as running loki from a webdav share (so we don't have to store any files on the host)
- Enabled pe-sieve shellcode search, nice extra check
- Added some argument sanity checking
- Added rfc5424logging compatible syslog logging (splunk parsing with linux_messages_syslog)
- Made minor changes to logging output to allow Splunk to easily parse syslog messages (just removed a colon)
- Renamed command line flag --printAll to lowercase, to match format of others
- Updated build script for python x64 compatibility
- Added process name whitelist, and switch to disable pesieve, since some EDR solutions get really upset when you touch them
- Added switch to ignore network comms checks
Change by me
- Upgrade to PE-Sieve version 0.2.2