Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add check for incompatible modifier #554

Merged
merged 5 commits into from
Dec 19, 2023
Merged

fix: add check for incompatible modifier #554

merged 5 commits into from
Dec 19, 2023

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Dec 19, 2023
edited
Loading

What Changed

Evidence

Test Environment

  • OS: macOS Sonoma version 14.0
  • Hard: MacBook Air(M1, 2020) , Memory 8GB, Core 8
  • Python 3.11.1
  • Hayabusa 2.12.0-dev

Test1

I confirmed that there is only a difference in the following 4 yml before and after this fix.

%diff -qr converted_sigma_rules_new/ converted_sigma_rules_old
Only in converted_sigma_rules_old/builtin/placeholder: security

% ls converted_sigma_rules_old/builtin/placeholder/security
win_security_exploit_cve_2020_1472.yml		win_security_remote_registry_management_via_reg.yml
win_security_potential_pass_the_hash.yml		win_security_susp_interactive_logons.yml

The above 4 yml file is all rules that include unsupported |expand modifier as shown below.

https://github.com/SigmaHQ/sigma/tree/412edd1e1abb29a021e51d2aca7abbbe47afca25/rules-placeholder/windows/builtin/security

Test2

I confirmed that no rule parsing errors occur.

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -r converted_sigma_rules_new -w -q -o out.csv -C
Start time: 2023/12/19 22:05

Total event log files: 583
Total file size: 137.1 MB

Loading detection rules. Please wait.

Excluded rules: 27

Deprecated rules: 187 (4.88%) (Disabled)
Experimental rules: 1401 (36.53%)
Stable rules: 108 (2.82%)
Test rules: 2326 (60.65%)
Unsupported rules: 45 (1.17%) (Disabled)

Sigma rules: 3835
Total enabled detection rules: 3835

Output profile: standard

Scanning in progress. Please wait.

[00:00:05] 583 / 583   [========================================] 100%

I would appreciate it if you could review when you have time🙏

@fukusuket fukusuket added the bug Something isn't working label Dec 19, 2023
@fukusuket fukusuket self-assigned this Dec 19, 2023
@fukusuket fukusuket marked this pull request as ready for review December 19, 2023 13:04
YamatoSecurity
YamatoSecurity approved these changes Dec 19, 2023
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket I confirmed it with GitHub actions. LGTM! Thank you!

@YamatoSecurity YamatoSecurity merged commit bd1fe11 into main Dec 19, 2023
2 checks passed
@YamatoSecurity YamatoSecurity deleted the 552-fix-add-check-for-incompatible-modifier branch December 19, 2023 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incomplete field modifier(expand) rule created
2 participants
@fukusuket @YamatoSecurity