In the Islamic lunar calendar, the new crescent moon marks the beginning of the year 1444. Based on the moon, the Islamic year has a length of 354 or 355 days. It runs for a whole year, beginning with Muharram.
The Hijrah – the Prophet Mohamed’s journey from Mecca to Medina with his companions, marked the beginning of the calendar in 622 AD.
History and significance
The Islamic New Year commemorates the migration of the Prophet Mohammad and his companions from Mecca to Medina in 622 CE to avoid persecution. In 629 CE, following the city’s conquest, the Prophet made his way back to Mecca. The following year will be known as 1444 AH (Anno Hegirae or the year of the Hijra), signifying that 1,444 years have passed since the Prophet’s migration to Medina.
Traditionally, Muharram is regarded as a time for reflection and penance among many. The Islamic New Year gives followers a chance to look forward to the future and reflect on the good and bad things they have done in their life.
As the death anniversary of the Prophet’s grandson Hussein is observed around this time, Muslims see the first 10 days of Muharram as a sacred period of remembrance. On the tenth day of Muharram, Hussein lost his life at the Battle of Karbala. The day, also known as Ashura, is observed as a day of mourning by Shia Muslims around the world.
Anmar Khalil/AP Photo
When does Muharram 2022 start?
Based on where a person is in the world, the expected Gregorian Date of 1 Muharram in 2022 is either Saturday, July 30, or Sunday, July 31, 2022.
Different nations choose various techniques, but the date is ultimately determined by astronomical calculations or confirmed moon sightings.
There is also disagreement about whether the concept of a moon sighting should refer to a person actually witnessing the moon in an area, which could be complicated by things like weather, or whether to take into account sightings in Saudi Arabia or other places.
Unsplash/Representational Image
Some claim that because of scientific advances in astronomy, it is now possible to predict the rising of the new moon with certainty, allowing Muslims worldwide to utilize a single start date without variance.
Rituals
According to traditional belief, the Children of Israel were saved from Pharoah by Allah in the month of Muharram. On this day, the tenth of Muharram, Prophet Moses (or Musa) fasted as an act of gratitude to Allah. When Prophet Muhammad moved from Mecca to Medina in the year 622 CE during the month of Muharram, he learned from the Jews that they fasted on this day in accordance with the teachings of Moses.
Unsplash
Prophet Muhammad chose to fast twice, once on Ashura and the day prior that is the 9th and 10th day of Muharram, in order to encourage his followers to express the same thanks to Allah. These are the customs that Sunni Muslims traditionally follow.
Muslims observe a day of mourning known as Ashura to remember the martyrdom of the Prophet Muhammad’s great-grandson Hussain Ibn Ali in Karbala.
In order to mark public mourning and remember the suffering inflicted upon their great leader and his family, members of the Shia community wear black clothing, observe abstinence, fast, and participate in processions on the day of Ashura, when Imam Hussain is believed to have been beheaded in the Battle of Karbala.
Anmar Khalil/AP Photo
When is the day of Ashura?
According to the Islamic calendar, Ashura occurs on the tenth day of the first month, which places it between Sunday, August 7, and Monday, August 8, this year.
The holy day of Ashura is a day of remembrance and fasting for millions of people around the world.
Anmar Khalil/AP Photo
Both Sunni and Shi’a Muslims mark the day, however in different ways.
The split between Shi’a and Sunni Muslims began with disagreements about the Prophet Muhammad’s rightful successor and leader of the Muslim community, and it was made worse by the subsequent killing of Hussain ibn Ali, the Prophet’s grandson years later.
For more on news and current affairs from around the world please visit Indiatimes News.
A typical corporate network consists of hundreds or thousands of devices generating millions of lines of logs pouring in every minute. What can make it possible, then, for SOC and threat intel analysts to sift through all this flow of information efficiently and separate malicious activity from daily noise in an automated fashion?
This is where Sigma rules come in handy.
What are sigma rules?
Sigma rules are textual signatures written in YAML that make it possible to detect anomalies in your environment by monitoring log events that can be signs of suspicious activity and cyber threats. Developed by threat intel analysts Florian Roth and Thomas Patzke, Sigma is a generic signature format for use in SIEM systems. A prime advantage of using a standardized format like Sigma is that the rules are cross-platform and work across different security information and event management (SIEM) products. As such, defenders can use a “common language” to share detection rules with each other independent of their security arsenal. These Sigma rules can then be converted by SIEM products into their distinct, SIEM-specific language, while retaining the logic conveyed by the Sigma rule.
Whereas among analysts, YARA rules are more commonly associated with identifying and classifying malware samples (files) using indicators of compromise (IOCs), Sigma rules focus on detecting log events that match the criteria outlined by the rule. Incident response professionals, for example, can use Sigma rules to specify some detection criteria. Any log entries matching this rule will trigger an alarm.
The Sigma specification
The possibilities Sigma offers are vast and it therefore helps to familiarize yourself with the Sigma specification. It offers a long list of fields and defines what each means:
From basic metadata fields such as the name and author of the rule to functional fields such as timeframe, string-identifier, and log source, Sigma rules allow for advanced monitoring of log events and entries.
How to write a Sigma rule
Every Sigma rule must have a title and an identifier. The title field briefly describes what the rule is supposed to do in no more than 256 characters. The id field is supposed to contain a globally unique identifier for the rule. Typically, the id field is specified as a randomly generated universally unique identifier (UUID) value.
The status field specifies whether the rule is considered stable for use in production, for testing, experimental, unsupported, or deprecated. The critical field logsource specifies the source of the log data that the rules will run against. Informative fields like status, author, license and description are optional but recommended.
Before writing a Sigma rule, think of what it is you’re trying to accomplish. Is your goal, for example, to detect instances of a common string (payload) associated with a particular vulnerability exploit, or to monitor occurrences of a particular Log event?
This is a basic, skeleton Sigma rule:
title: Test Sigma rule
id: 4d28fc3b-2ed7-4cd0-97c7-7a90b463c881 status: test
A real-life scenario rule would look more akin to the one shown below. The rule titled “Remove Immutable File Attribute” triggers seeing a log event generated by The Linux Audit Demon (‘auditd’) every time immutable file attributes are removed from a file. The selection criteria specified under the “detection” section is a set of key-value pairs. The rule, in this example, will trigger only when the field type is EXECVE and the arguments (a0, a1) passed contain “chattr -i”:
SANS
The falsepositives field isn’t processed by the SIEM application but is instead an indicator for the SOC analyst to be aware of situations that can trigger false positives that may require no immediate remediation. The condition field determines what conditions must be met for the event to trigger. In this case, it just follows the selection criteria, but the condition field can allow for a more complex and detailed rule, as defenders can use logical operators such as AND/OR/NOT to combine different conditions.
For example, the rule below would only trigger when ‘selection’ criteria is met but not what the ‘filter’ specifies. The Sigma expression looks for Event 4738: “A user account was changed.” in the Windows logs but only alerts when the PasswordLastSet field is not null.
Similarly, the selection criteria itself can become detailed and complex and use value modifiers. An example of selection criteria using the “endswith” modifier is shown in the example from Intezer below:
Sigma
The rule will look for two fields ParentImage and Image and only trigger if both the values in the ‘ParentImage’ AND the ‘Image’ fields end with strings specified in the criteria. However, the values for each of these is specified in the “list” format – and any one of these values for ParentImage will trigger the rule. That is, the rule will trigger when the Image ends in mshta.exe AND ParentImage ends in svchost.exe OR cmd.exe OR powershell.exe.
Note, items specified under either “list” or “map” objects have the “OR” operator applied to them, so detection of any of the selections specified in a list or map will trigger an alert.
Strings in Sigma are case insensitive by default but become case sensitive should they contain regular expressions (regex). Additionally, wildcards like “*” and “?” are allowed in the detection criteria and can be escaped (using a “”) as needed.
Common Sigma rule mistakes
Not knowing when rules are case sensitive
Because strings in Sigma rules are case insensitive, except when they contain a regex pattern, defenders who are new to writing these rules might inadvertently introduce errors. An erroneous rule can turn out to be a wasted effort and a security miss as it may never be triggered when expected.
Improper backslash use
Another source of error comes from the improper use of the backslash when escaping strings, specifically using the wrong number of backslashes. This is particularly an issue in regular expressions.
The rule creation guide explains a solution to avoid this. Cases where only single backslashes are being used by themselves need not be escaped. For example, the string C:WindowsSystem32cmd.exe does not need to be escaped and the single backslash will be treated as a “plain” string value. In other words, defenders should not escape single backslashes by writing “C:\Windows\System32\cmd.exe.”
A working example of this is shown in a Sigma rule shared by Florian Roth himself. The rule alerts sysadmins on seeing instances of the “ping” command being provided a hex-encoded IP address, possibly to avoid detection. Notice, the use of wildcards (*) and the “” not being escaped.
Backslashes can, however, be used as a way of escaping wildcards and a group of backslashes. For example, “*”, “and” and “?” are treated as wildcard characters, so rule writers are better off writing “*” if they literally meant to include an asterisk as opposed to a wildcard operator.
Also, the guide specifies, “If you want to express two plain backslashes, use four of them: \\foobar results in the value \foobar…,” which means writing \\ gives you two backslashes in a string. “Write * if you want a plain wildcard * as resulting value. Write \* if you want a plain backslash followed by a wildcard * as resulting value. Write \* if you want a plain backslash followed by a plain * as resulting value,” further explain the instructions.
Logical errors from operator misuse
When crafting selection criteria and condition that is required to trigger the rule, beware of how your expression is being evaluated. Crafting an expression with multiple expressions using the OR operator when your logic is meant to convey AND can trigger a plethora of false alerts. This can get especially difficult to master when combining multiple selection criteria (containing a list of items) with the condition field combining such criteria using AND/OR/NOT.
Writing and validating your Sigma rules
Threat hunting, and cyber-threat Intelligence analyst Syed Hasan has shared a step-by-step guide on how to write and compile your Sigma rules from scratch. Better yet, as Hasan suggests why not use a web-based tool like Uncoder especially as a beginner?
Released by SOC Prime, Uncoder allows you to easily write, experiment with, test, and compile Sigma rules from the comfort of your web browser and even convert your rules into SIEM-native languages.
As for validation and testing, Sigma’s official repository provides a test suite that you can use to validate your rules. However, as cybersecurity engineer Ryan Plas rightfully points out, some may find the suite incomplete. The tests provided act as a helpful resource but are in no way a comprehensive means to check your compliance with the Sigma schema. Running the test suite requires defenders to download these manually and place them in their rules folder.
Tools like sigmalint, developed by Stage 2 Security, can help with this. Sigmalint is an open-source command-line tool for validating your Sigma rules against the Sigma schema. “Using sigmalint is easy. You can pass two parameters: inputdir and method. inputdir is the directory location of your rules, and method is the validation system you want to use (rx, jsonschema, s2),” explained Plas. “The script then outputs a report of how many rules are valid and invalid and how many it couldn’t parse.”
As of April this year, contributed Sigma rules undergo automated checks to ensure their correctness using event log data collected from uncompromised Windows systems.
Getting started with Sigma rules is quite easy but, as with anything, it takes some practice writing them to get yourself familiarized with more sophisticated syntaxes and enhance your detection capabilities.
I’m not sure I would ever know what to write about when it came to the bizarre, fantastic and extremely interesting things that I have on occasion chosen to write about if not for the great research that our good friend Bryan Prince (part of the fantastic super heroes pair known as Shannon and Bryan Prince from Buxton).
Article content
It’s this far-reaching research that he brought to my attention for this week that got me pondering a great mystery from Morpeth, in the 1860s, that I have no definitive answer for but I find endlessly fascinating.
Our story starts in Morpeth, a community in the 1860s that was bustling and exciting. It all started with a lawyer named W. H. Wittrock.
It would appear that Wittrock had been ill for several months and, in an effort to seek a cure or to lessen his pain, took a large number of morphine pills and died from an apparent overdose.
However, our story gets more interesting. Wittrock was laid out in the local church for all of the citizens of Morpeth to pay their final respects to a lawyer that many of the people knew and possibly dealt with over the years.
The corpse appeared in his coffin dressed in a fine suit of black broadcloth with gloves on his hands and boots on his feet. More than one person reported touching the corpse and speculating that the body … “when touched imported a peculiar sensation not derived usually from the bodies of a dead person.”
Why would a casual mourner have reason to touch the body?
At any rate, the coffin was eventually closed and taken to the pleasant burial ground connected with the Church of England near Morpeth where it was buried.
You might think that to be the end of the story, but it was only the beginning.
Stories began that Wittrock, who was a Dane, had been in discussion with the Cartier-Macdonald government for the position of “Immigrant Agent for Denmark and Germany”.
Article content
He failed in his bid and was apparently despondent.
He was described by townspeople in Morpeth as a “tough, wiry, healthy man and somewhat of a bon vivant.”
When the townspeople put all of these various facts together there was a rumour started that he was just possibly not dead but has faked his death to start another life under an assumed name.
And has the newspaper of the day put it, “the vital spark had never fled from his body.”
Now when the insurance company that had given $10,000 to Mrs. Wittrock on her husband’s death heard the rumour, they apparently, according to some reports taken from the local newspaper, went out to the Morpeth Cemetery, dug up Wittrock’s coffin and found that it was filled with “cordwood and stones”.
Now to lend further evidence to support this forgery, Mrs. Wittrock wasted little time after the accounts of her husband had been liquidated, and left town without a proper send off. They didn’t say that she left “in the middle of the night” but…that was the unsaid meaning!
Further stories surfaced that Mr. Whittrock had been seen alive and well in New York and then later in Buffalo where his wife, the story goes, had “fled to”!
We will never know what the true story is and whether things in the newspaper had been surmised or simply made up to sell their papers.
The next time we hear of Mrs. Wittrock, she is living in Leavenworth, Kansas and she is claimed to be at her death at 89 years of age one of the oldest and earliest citizens of that town.
Apparently she never married again (assuming her husband was really dead) and whatever the truth was she took it to her grave.
Another interesting story from the early days of Morpeth, a village that never ceases to amaze me.
It’s been a difficult Winter Olympics thus far for Alpine skiing great Mikaela Shiffrin. The 26-year-old American has twice done something she hardly ever does in international competition: “ski out” of a race.
It’s a dreaded term for elite ski racers, one that is usually accompanied by the letters DNF – did not finish – meaning a skier failed to complete the course and register a valid run.
Making the gates
Alpine skiing courses are lined with brightly colored markers, called gates, which athletes must ski through as they navigate the slope. In the downhill, super-G and giant slalom disciplines, gates are marked by pairs of flags anchored to the snow by flexible plastic poles. Making contact with a flag is allowed, provided that every part of the skier’s body and equipment stays inside the inner-most pole.
Gates on a giant slalom course.
Getty Images
Slalom is a bit different. For starters, the gates are made up of single poles rather than larger flags. The poles, alternating in color, indicate various turns the skiers must perform down the hill.
Gates on a slalom course.
Getty Images
A common misconception is that the color of each pole indicates whether the skiers must go to the right or left of it. While this might often appear to be the case when watching a slalom competition, the color of each pole is simply meant to let the skiers know which gate is up next. It falls upon the athletes to learn the proper combination of turns outline by the course, which happens during set inspection periods in the hours or days before a race.
Simply put, skiing out means missing a gate at any point during a ski race. The consequences of doing so are instant disqualification from the event even if it spans multiple runs, as slalom, giant slalom and the combined event do at the Winter Olympics.
Sometimes, especially in the speed disciplines of downhill and super-G, ski outs happen when an athlete loses control and crashes off his or her skis. Shiffrin suffered a minor crash – and was uninjured – during her giant slalom run.
However, skiers can also ski out even without crashing if they stray too far outside the racing line, as Shiffrin did two days later in the slalom.
