ExcludeList not working ?

[mtl0n]

Hi,

I'm running this from powershell:

. .\Merge-SysmonXml.ps1
Merge-AllSysmonXml -AsString -BasePath .\ -ExcludeList .\0_custom_configuration\file_delete_modules.txt | Out-File -Encoding utf8 sysmonconfig-from-ps-generated.xml

It seems that the generated file doesn't take into account the excludelist argument.

Having a quick look into the Merge-SysmonXml.ps1 file, I may have found something odd at :

sysmon-modular/Merge-SysmonXml.ps1

Line 130 in 5e5f6d9

if($FilePath -notin $ExclusionFullPaths){

It seems the script is comparing an absolute path against a list of relative paths (although it says "$ExclusionFullPaths"), hence always False, and not taking into account the ExcludeList arg.

I added some verbosity and got such output (relative path in place of $ExclusionFullPaths):
FilePath : C:\Users\Bob\Repo\sysmon-modular\9_raw_access_read\include_general_commment.xml
ExclusionFullPaths : .\23_file_delete\exclude_google_chrome.xml .\23_file_delete\exclude_windows_services.xml .\23_file_delete\include_microsoft_sql_server.xml .\23_file_delete\include_qualys.xml .\23_file_delete\include_user_writable_folders.xml .\23_file_delete\include_writable_folders.xml

Am I missing something ?

[olafhartong]

Oh yeah the BasePath needs to be the full path of where you have the Sysmon-modular files.

so in your case:

Merge-AllSysmonXml -AsString -BasePath C:\Users\Bob\Repo\sysmon-modular  -ExcludeList .\0_custom_configuration\file_delete_modules.txt | Out-File -Encoding utf8 sysmonconfig-from-ps-generated.xml

that should work, I'll also make it more verbose in the README, thanks for letting me know