Closed fukusuket closed 1 year ago
Confirmed!
Introduced bis this commit which fixed the log sources but broke compatibility by introducing list elements. I believe this bug is also contained in other backends. Will revert the change in the main branch and move it to 0.9.x that contains further breaking changes.
Fixed in 0.8.11.
Thank you for your quick response :)
I confirmed that the command succeeds with the steps below 😀
pip uninstall pysigma
<- to remove pySigma 0.8.10pip install sigma-cli
sigma list pipelines
fukusuke@fukusukenoAir ~ % sigma list pipelines
+----------------------------+----------+----------------------------------------------------------------------------------+---------------------------+
| Identifier | Priority | Processing Pipeline | Backends |
+----------------------------+----------+----------------------------------------------------------------------------------+---------------------------+
| sysmon | 10 | Generic Log Sources to Sysmon Transformation | all |
| crowdstrike_fdr | 10 | Generic Log Sources to CrowdStrike Falcon Data Replicator (FDR) Transformation | all |
| splunk_windows | 20 | Splunk Windows log source conditions | splunk |
| splunk_sysmon_acceleration | 25 | Splunk Windows Sysmon search acceleration keywords | splunk |
| splunk_cim | 20 | Splunk CIM Data Model Mapping | splunk |
| ecs_windows | 20 | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7 | elasticsearch, opensearch |
| ecs_windows_old | 20 | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6 | elasticsearch, opensearch |
| ecs_zeek_beats | 20 | Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1 | elasticsearch, opensearch |
| ecs_zeek_corelight | 20 | Elastic Common Schema (ECS) mapping from Corelight | elasticsearch, opensearch |
| zeek | 20 | Zeek raw JSON field naming | all |
| windows | 10 | Generic Log Sources to Windows Transformation | all |
+----------------------------+----------+----------------------------------------------------------------------------------+---------------------------+
Hello, thank you for maintaining tools :) I found the following issue, so I would appreciate it if you could check it.
Describe the bug
sigma list pipelines
command failed with latest simga-cli(0.5.3).Step to Reproduce
python3 -m pip install sigma-cli
sigma list pipelines
Expected behavior
sigma list pipelines
command succeeds.Actual behavior The command failed with the following stack trace.
Environment I confirmed in the following environments.
Additional context Above error occurs in the following code. It seems that originally
source
was expected to be of typestr
(notlist
)However, the
windows_logsource_mapping
value now contains the typelist
from the following commits.(pySigma 0.8.10
)Because the pySigma version is
0.8.1
inpoetry.lock
, this issue did not occur when I did withpoetry install
.It seems to be an issue related to
pySigma-backend-splunk
, so it may be better to create an issue in thepySigma-backend-splunk repository
?