Releases: wagga40/Zircolite
2.1.0
What's new in v2.1.0 :
- Added an "--package" option to generate a zip file with a ready to use ZircoGui package
- The "--stream" bug in Windows is solved
- The ZircoGui files CSS/HTML/JS are now available in the repo as a zip file
- Docs have been updated
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
- Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
- Binaries for Linux have "lin" in their names
2.0.0
v2.0.0 is here 🎉🎉🎉
What's new in v2.0.0 :
- Zircolite has been rewritten with classes to be less monolithic, legacy version is still available in the root directory
- Forwarding events is now done asynchronously, the speedup is quite huge
- You can now generate your own Zicolite Embedded/Portable versions ! the tool is available in the
tools/genEmbeddirectory - Nuitka releases are much more smaller
- In case you don't have evtx_dump binaries, there is a fallback mode (slower) which use evtx_dump python bindings
Edited on 2021/07/19 :
- Thanks to @Hullgj, I added a missing check in the code. Releases have been updated accordingly.
Known issues
- Forwarding events throw errors on Windows in stream mode when using packaged versions of Zircolite. It seems to be linked to PyInstaller and Nuitka. A "legacy mode" will be added to avoid this problem, but for now if you need this functionality use v1.4.1 packaged binaries.
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
- Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
- Binaries for Linux have "lin" in their names
1.4.1
What's new :
- You can now execute Zircolite on a previously saved Db (
--dbfileargument). Timerange filters don't work in this mode - Updated rulesets (CVE-2021-1675)
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
- Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
- Binaries for Linux have "lin" in their names
1.4.0
What's new :
- Linux binaries compiled with Nuitka
- To speed up zircolite execution, it is now possible to filter events to a specific time range
- To avoid noisy or slow rules, it is now possible to filter them by name/id (CRC32)
- Updated rulesets
Check Readme to know how to use these new features.
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
- Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
- Binaries for Linux have "lin" in their names
1.3.5
What's new :
- It is now possible to forward events to a Splunk instance via Splunk HEC
- You can choose to stream events or to send them all at once with the "stream" argument
- Added an "showall" argument to show all executed rules (useful when trying to find a slow rule)
- Removed "fields" argument
- Updated rulesets
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
- Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.
1.3.1
What's new :
- Code refactoring
- Updated rulesets
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).
Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.
1.3.0
What's new :
- Added file filters to speed up Zircolite processing (check Readme.md)
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).
Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.
1.3.0b
This is a BETA release - Binaries have not been tested
What's new :
- Added file filters to speed up Zircolite processing (check Readme.md)
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).
Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.
1.2.5
This release introduce :
- Updated rulesets
- New config files for sigmac
- New "example" Zircolite server
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).
Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.
1.2.3
This release introduce :
- Updated rulesets
- New icon
What to download ?
- Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
- Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).
Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.