Gene engine is a single executable without dependency. You can download the latest releases for your OS from our Github
# Assuming ./gene-rules is a directory containing your rules # Verifying that the rules are valid gene -r ./gene-rules -verify # Scanning a single file gene -r ./gene-rules -progress sysmon.evtx # Scanning several files gene -r ./gene-rules -progress *.evtx # Scanning Windows Events in JSON format (as printed by evtxdump) gene -r ./gene-rules -progress -j sysmon.json # Reading JSON Events from stdin cat some-events.json | gene -r ./gene-rules -progress -j - # Scan Events and set blacklist and whitelist containers gene -r ./gene-rules -bl blacklist.txt -wl whitelist.txt -j sysmon.json
WHIDS or how to use Gene in real time¶
As Gene engine, WHIDS can be downloaded as a standalone executable on our Github. This tool is a powerful Host IDS built on top of Gene engine and capable of analyzing a big amount of events per seconds while taking limited resources.
If you just want to test WHIDS, you can do it in a second by simply downloading and executing trial.ps1
# WHIDS expects to listen directly on Windows Log Channel # but some aliases are hardcoded to prevent typing long Channel names # To make WHIDS listening on Sysmon Channel .\whids.exe -r ./gene-rules -c sysmon # To listen on both Sysmon and Security Channel and match event in real time .\whids.exe -r ./gene-rules -c "sysmon,security" # To listen on all aliased Windows Channels .\whids.exe -r ./gene-rules -c all # Download latest version of rule repository and use it .\whids.exe -u -c all # Log alerts to Windows Application log Channel .\whids.exe -r ./gene-rules -winlog -c all # Enable Windows Client-DNS logs and monitor according Channel .\whids.exe -r ./gene-rules -dns -c dns