Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: keep yaml comment as is #568

Merged
merged 10 commits into from
Jan 20, 2024
Merged

feat: keep yaml comment as is #568

merged 10 commits into from
Jan 20, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Jan 19, 2024
edited
Loading

What Changed

Evidence

Test Environment

  • OS: macOS Sonoma version 14.0
  • Hard: MacBook Air(M1, 2020) , Memory 8GB, Core 8
  • Poetry: version 1.7.1

Test1

I confirmed that the comments will remain as below.

title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
    - id: 6c82cf5c-090d-4d57-9188-533577631108
      type: similar
status: experimental
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
    - https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017/05/09
modified: 2023/04/14
tags:
    - attack.defense_evasion
    - attack.t1211
    - attack.t1562.001
logsource:
  product: windows
  service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
  application:
    Channel: Application
  selection:
    Provider_Name: Application Error
    EventID: 1000
    Data|contains|all:
        - MsMpEng.exe
        - mpengine.dll
  condition: application and selection
falsepositives:
    - MsMpEng might crash if the "C:\" partition is full
level: high
ruletype: Sigma

Test2

I confirmed that there was no difference as follows.

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r converted_sigma_rules_new -o new.csv -C
% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r converted_sigma_rules_old -o old.csv -C
% diff old.csv new.csv
%

I confirmed that no parse error.

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r converted_sigma_rules_new -o new.csv -C
...
Loading detection rules. Please wait.

Excluded rules: 27

Deprecated rules: 187 (4.85%) (Disabled)
Experimental rules: 1418 (36.81%)
Stable rules: 108 (2.80%)
Test rules: 2326 (60.38%)
Unsupported rules: 45 (1.17%) (Disabled)

Sigma rules: 3852
Total enabled detection rules: 3852

Output profile: standard

I would appreciate it if you could review when you have time🙏

@fukusuket fukusuket added the bug Something isn't working label Jan 19, 2024
@fukusuket fukusuket self-assigned this Jan 19, 2024
@fukusuket fukusuket marked this pull request as ready for review January 19, 2024 14:29
@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks so much! I tried running this action but it failed:

Run cd hayabusa-rules/tools/sigmac/
Creating virtualenv hayabusa_rule_converter-ntTGS2Wa-py3.10 in /home/runner/.cache/pypoetry/virtualenvs
Installing dependencies from lock file

Package operations: 3 installs, 0 updates, 0 removals

  • Installing ruamel-yaml-clib (0.2.8)
  • Installing ruamel-yaml (0.18.5)
  • Installing ruff (0.1.13)
[INFO:logsource_mapping.py:456] Start to logsource mapping sigma rules.
[ERROR:logsource_mapping.py:469] Rule directory(file) [sigma-repo] does not exists.
Error: Process completed with exit code 1.

Link: https://github.com/Yamato-Security/hayabusa-rules/actions/runs/7590115798/job/20676058920

@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
Sorry, I missed the changes..🙇 fixed actions! Could you please confirm?

@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks! The conversion is working now, however, I noticed that the spacing went from 4 characters to 2 characters. Can we keep it at 4 characters as I think that is easier to read?

@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
Thank you so much for checking! I fixed! Could you please confirm?🙇

title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
    - id: 6c82cf5c-090d-4d57-9188-533577631108
      type: similar
status: experimental
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
    - https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017/05/09
modified: 2023/04/14
tags:
    - attack.defense_evasion
    - attack.t1211
    - attack.t1562.001
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    application:
        Channel: Application
    selection:
        Provider_Name: Application Error
        EventID: 1000
        Data|contains|all:
            - MsMpEng.exe
            - mpengine.dll
    condition: application and selection
falsepositives:
    - MsMpEng might crash if the "C:\" partition is full
level: high
ruletype: Sigma

YamatoSecurity
YamatoSecurity approved these changes Jan 20, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket Thanks so much! LGTM! I double-checked that it detects just as before. I will merge this.

@YamatoSecurity YamatoSecurity merged commit a7038b5 into main Jan 20, 2024
2 of 3 checks passed
@YamatoSecurity YamatoSecurity deleted the 408-add-comment branch January 20, 2024 05:56
@fukusuket fukusuket mentioned this pull request Jan 21, 2024
Closed
fukusuket added a commit that referenced this pull request Jan 21, 2024
@fukusuket
fix: revert #568
4f74390
fukusuket added a commit that referenced this pull request Jan 21, 2024
@fukusuket
fix: revert #568 feature.
d1ca094
@fukusuket fukusuket mentioned this pull request Jan 21, 2024
Merged
YamatoSecurity added a commit that referenced this pull request Jan 21, 2024
@YamatoSecurity
Merge pull request #576 from Yamato-Security/fix-rule-parse-error-568
7d33eff 
fix: rule parse error(regression caused by #568)
@fukusuket fukusuket mentioned this pull request Jan 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Comments are erased when converting rules
2 participants
@fukusuket @YamatoSecurity