Giter VIP home page Giter VIP logo

Comments (3)

alexkornitzer avatar alexkornitzer commented on June 7, 2024

Hi @nbareil,

So unfortunately not all the Sigma rules are written that well. The reason that Chainsaw won't parse this one into a Tau compatible format is because selection_conf does not specify a field to search upon for the string Sysmon config state changed.

If its intended behaviour for this rule to run upon all key value pairs within an event log entry then we can add support for that (it will be slow though) but I don't think that is what this rule is meant to do.

Let me know what you think.

from chainsaw.

nbareil avatar nbareil commented on June 7, 2024

Thanks for your fast answer Alex!

I know almost nothing about Sigma but from its specifications, this construction looks to be allowed by the language:

2.9.4. Lists
Lists can contain:

  • strings that are applied to the full log message and are linked with a logical 'OR'.
  • maps (see below). All map items of a list are logically linked with 'OR'.

Example for list of strings: Matches on 'EvilService' or 'svchost.exe -n evil'

detection:
  keywords:
    - EVILSERVICE
    - svchost.exe -n evil

Source: https://github.com/SigmaHQ/sigma-specification/blob/4b24c52e9e5edb8bcca688a82d0691bcde0b848f/version_1_x_0.md#294-lists

Now, as said, there are only 93 out of 2400 rules in SigmaHQ that do not parse, I don't think it is a big deal and I do not have any opinion if you should implement it or not, if you feel this change is more problematic than helpful, feel free to close this issue with WONTFIX 🤗

Kind regards

from chainsaw.

alexkornitzer avatar alexkornitzer commented on June 7, 2024

Exaclty, its allowed in their spec but its allows for inefficient rules to be written. It is basically saying look for those values anywhere in the entry (full log message). When we are processing structured data (like event logs, json, xml, etc) the concept of a full log message does not really make sense, the author must has fields in mind they would like to match. I would argue that its lazy rule writing to not specify the fields that would would like to search on.

Thanks for your understanding, I will mark as won't fix unless a burning desire arises to need this feature.

Oh and the other ones that can't convert are usually using thinks like inefficient regex which Rust does not support. I will have another look again when I get time to see if I can easily get any of the final 93 in.

from chainsaw.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.