1.4.1

What's new :

• You can now execute Zircolite on a previously saved Db (--dbfile argument). Timerange filters don't work in this mode
• Updated rulesets (CVE-2021-1675)

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
• Binaries for Linux have "lin" in their names

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.4.0

What's new :

• Linux binaries compiled with Nuitka
• To speed up zircolite execution, it is now possible to filter events to a specific time range
• To avoid noisy or slow rules, it is now possible to filter them by name/id (CRC32)
• Updated rulesets

Check Readme to know how to use these new features.

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
• Binaries for Linux have "lin" in their names

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.3.5

What's new :

• It is now possible to forward events to a Splunk instance via Splunk HEC
• You can choose to stream events or to send them all at once with the "stream" argument
• Added an "showall" argument to show all executed rules (useful when trying to find a slow rule)
• Removed "fields" argument
• Updated rulesets

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.3.1

What's new :

• Code refactoring
• Updated rulesets

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.3.0

What's new :

• Added file filters to speed up Zircolite processing (check Readme.md)

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.3.0b

This is a BETA release - Binaries have not been tested

What's new :

• Added file filters to speed up Zircolite processing (check Readme.md)

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.2.5

This release introduce :

• Updated rulesets
• New config files for sigmac
• New "example" Zircolite server

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.2.3

This release introduce :

• Updated rulesets
• New icon

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

1.2.2

This release introduce :

• Updated rulesets

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.

1.2.1

This release introduce :

• New sigmac configuration and new rulesets with reduced false positives

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and supposedly faster.
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files).

Since, for now, Zircolite has been mostly made to scan EVTX files, only Microsoft Windows packaged binaries will be distributed. For convenience, you can place these binaries at the root of the Zircolite directory.

⚠️ Some AV may not like the packaged binaries.