Invalid Argument #94
Comments
|
This is typically the error that appears when the AV trigger on the temp files. I recommend you to add Zircolite directory to AV exclusions. |
|
Hi I have good case for you. rules.json and evtx files. hayabusa took 390 sec zircolite took 1400sec. I can share the data privately if you want to examine. Best PS: if you put elapsed time for each event result in screen printing good for debug |
yeah I’m interested, how do you want to proceed ? |
|
give me your email pls |
|
I can send links for rules and evtx zip for test to your email. As far as I see its take too long for some queries. ie: 17.000 result.. takes too long to query. hayabusa always around 4 min - 5 min. 
|
|
more diagnosis clues: same log and same json rules: on my vmware windows 10 took 297 sconds on another server ; vmware win server 2019 took 14500 seconds. ! both machine hayabusa 300 seconds |
|
email : seringues-06.phyla@icloud.com did you try with the v3 version in the dev branch ? https://github.com/wagga40/Zircolite/tree/v3.0 (very unstable, csv output not working) Sometimes memory is quite the bottleneck and the rulesets have to be tailored because somes rules are very noisy and take long time to execute. |
|
is zircolite.py or zircolite_dev.py ?
Only gettin above file is enough or need full repo ?
Will prepare you VMware image for same test
Best
… On 31 Oct 2024, at 21:18, Wagga ***@***.***> wrote:
email : ***@***.*** ***@***.***>
did you try with the v3 version in the dev branch ? https://github.com/wagga40/Zircolite/tree/v3.0 <https://github.com/wagga40/Zircolite/tree/v3.0> (very unstable, csu output not working)
—
Reply to this email directly, view it on GitHub <#94 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEFRZH7WZLZPCK2QAZWPAADZ6JX6BAVCNFSM6AAAAABQXUDBSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJQGU2DGMBQGQ>.
You are receiving this because you authored the thread.
|
|
You should use zircolite_dev.py Normally it should work only with this file |
|
Hayabusa Almost 5-7 times faster . But I believe we can catch its speed.
PS: I am preparing the VMware image
Best
… On 31 Oct 2024, at 21:18, Wagga ***@***.***> wrote:
email : ***@***.*** ***@***.***>
did you try with the v3 version in the dev branch ? https://github.com/wagga40/Zircolite/tree/v3.0 <https://github.com/wagga40/Zircolite/tree/v3.0> (very unstable, csu output not working)
—
Reply to this email directly, view it on GitHub <#94 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEFRZH7WZLZPCK2QAZWPAADZ6JX6BAVCNFSM6AAAAABQXUDBSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJQGU2DGMBQGQ>.
You are receiving this because you authored the thread.
|
|
I sent you an email address in a previous answer, could you share your samples ? |
|
Whith the news version (https://github.com/wagga40/Zircolite/tree/v3.0) of Zircolite and default ruleset or your ruleset, it took 23 sec. RAM and Storage speed (SSD vs non SSD) can change the results.
|
|
I've tested in a Windows VM. It took 44 sec |
python .\zircolite.py --evtx .\7\ --rules C:\PURE7\rules.json
Traceback (most recent call last):
File "C:\RE7\Zircolite\zircolite.py", line 2713, in
main()
File "C:\RE7\Zircolite\zircolite.py", line 2622, in main
zircoliteCore.run(LogJSONList, saveToFile=args.keepflat, args_config=args)
File "C:\RE7\Zircolite\zircolite.py", line 1227, in run
flattener.runAll(EVTXJSONList)
File "C:\RE7\Zircolite\zircolite.py", line 830, in runAll
results = self.run(evtxJSON)
File "C:\RE7\Zircolite\zircolite.py", line 777, in run
with open(str(file), "r", encoding="utf-8") as JSONFile:
OSError: [Errno 22] Invalid argument: 'tmp-6W5YO034\ID400-800-CrackMapExec payload execution.evtx-R0YQ824M.json'
The text was updated successfully, but these errors were encountered: