could not initialize Module Sigma: could not load sigma rules: no valid sigma rules found

[Flocap]

Hi,

Sinnce 12/05, aurora-agent doesn't start.

Debug output:

May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Aurora-Agent MESSAGE: Started CPU limiter LIMIT: 35
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Aurora-Agent MESSAGE: Started offering status information
      ___                                  __    _ __
     /   | __  ___________  _________ _   / /   (_) /____
    / /| |/ / / / ___/ __ \/ ___/ __ `/  / /   / / __/ _ \
   / ___ / /_/ / /  / /_/ / /  / /_/ /  / /___/ / /_/  __/
  /_/  |_\__,_/_/   \____/_/   \__,_/  /_____/_/\__/\___/

  Aurora Agent Lite Version 1.0.5 (1ee787bfd27f7), Signature Revision 2022/05/12-150708 (Sigma 0.21-330-g1f7021fed)
  (C) Nextron Systems GmbH, 2022

May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: EventDistributor MESSAGE: Initialized process excludes EXCLUDES: 1
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ETWSource MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ETWKernelSource MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: EventlogSource MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: PollHandles MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\c2-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\c2-iocs.dat as 'domains' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\falsepositive-hashes.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\falsepositive-hashes.dat as false positive 'hash' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\filename-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\filename-iocs.dat as 'filename' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\hash-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\hash-iocs.dat as 'hash' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\keywords.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.dat as 'hash' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Hash IOC has invalid length (should be MD5, SHA1 or SHA256) FILE: C:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.dat STRING: 2d56709dfa628bdb10453b4d23d36491
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 2832 filename ioc strings and 464 filename ioc regexs TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 1666 malware domains TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 49777 malware and 30 false positive hashes TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 0 named pipe ioc strings and 0 named pipe ioc regexs TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 0 malicious handles and 0 regex malicious handles TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Rescontrol MESSAGE: Initializing module
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Initializing module
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading sigma rules FOLDER: C:\Program Files\Aurora-Agent\signatures\sigma-rules
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading sigma rules FOLDER: C:\Program Files\Aurora-Agent\custom-signatures
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading log source SOURCE: C:\Program Files\Aurora-Agent\log-sources\event-log-sources.yml
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading log source SOURCE: C:\Program Files\Aurora-Agent\log-sources\etw-log-sources-standard.yml
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading log source SOURCE: C:\Program Files\Aurora-Agent\log-sources\etw-log-source-mappings.yml
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Compiling sigma rules
could not initialize Module Sigma: could not load sigma rules: no valid sigma rules found

Indeed, the aurora-signatures-lite-pack.zip does not provide any sigma rules:

I was able to reinstall rules from initial package and successfully start agent, but I guess next update will break it again.

Great tool anyway and thank you for sharing.

Regards.

[Neo23x0]

Thanks for reporting this issue. It was caused by some refactoring and only affected the "Lite" version. We didn't have tests for the updated packages of the Aurora Lite agent, yet. We fixed the problem and covered the package updates with some tests.