search

SigmaHQ / sigma-cli

The Sigma command line interface based on pySigma
130 stars 33 forks source link

sigma convert runs error with successful installation of elasticsearch backend. #29

Closed leexuan closed 11 months ago

leexuan commented 11 months ago

Hello, I tred to use sigma convert, but I got a error in both windows 11 and linux when I run the following sigma command. And the elasticsearch backend is installed successfully.


└─# ./sigma plugin install elasticsearch                                                                                                              1 ⨯
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
Successfully installed plugin 'elasticsearch'

┌──(rootkali)-[/usr/local/software/Python-3.9.10/bin]
└─# ./sigma convert -t elasticsearch -p sysmon /home/kali/Downloads/proc_creation_win_webshell_recon_detection.yml 
Usage: sigma convert [OPTIONS] INPUT...
Try 'sigma convert --help' for help.

Error: Invalid value for '--target' / '-t': 'elasticsearch' is not one of . - run sigma plugin list --plugin-type backend for a list of available plugins.```
tr0mb1r commented 11 months ago

Same issue with me

@thomaspatzke 

> sigma version
0.7.7
> python3.9 -m pip list | grep pySigma
pySigma                       0.10.5
pySigma-backend-elasticsearch 1.0.8
> sigma plugin list
+----------------------+----------+---------+--------------------------------------------------------------+-------------+
| Identifier           | Type     | State   | Description                                                  | Compatible? |
+----------------------+----------+---------+--------------------------------------------------------------+-------------+
| ibm-qradar-aql       | backend  | stable  | IBM QRadar backend for conversion into AQL queries. Contains | no          |
|                      |          |         | mappings for fields and logsources                           |             |
| cortexxdr            | backend  | stable  | Cortex XDR backend that generates XQL queries.               | no          |
| carbonblack          | backend  | stable  | Carbon Black backend that supports queries for both          | no          |
|                      |          |         | Enterprise EDR (fka Threat Hunter) and EDR (fka Response)    |             |
| sentinelone          | backend  | stable  | SentinelOne backend that generates Deep Visibility queries.  | no          |
| sentinelone-pq       | backend  | stable  | SentinelOne backend that generates PowerQuery queries.       | no          |
| splunk               | backend  | stable  | Splunk backend for conversion into SPL and tstats data model | yes         |
|                      |          |         | queries as plain queries and savedsearches.conf              |             |
| insightidr           | backend  | stable  | Rapid7 InsightIDR backend that generates LEQL queries.       | yes         |
| qradar               | backend  | stable  | IBM QRadar backend for conversion into AQL and extension     | no          |
|                      |          |         | packages.                                                    |             |
| elasticsearch        | backend  | stable  | Elasticsearch backend converting into Lucene queries, plain, | yes         |
|                      |          |         | embedded into DSL or as Kibana NDJSON.                       |             |
| opensearch           | backend  | stable  | Opensearch backend converting into Lucene queries and        | yes         |
|                      |          |         | Opensearch alerting rules.                                   |             |
| ala-socprime         | backend  | devel   | Azure Log Analytics backend with Windows log support         | no          |
|                      |          |         | maintained by SOC Prime.                                     |             |
| ala-sifex            | backend  | devel   | Azure Log Analytics backend with Windows log support         | no          |
|                      |          |         | maintained by @sifex.                                        |             |
| stix                 | backend  | devel   | STIX backend converting into plain STIX queries. Contains    | no          |
|                      |          |         | mappings for STIX 2.0 and STIX Shifter taxonomies.           |             |
| loki                 | backend  | stable  | Loki backend for conversion into Loki LogQL queries (plain   | yes         |
|                      |          |         | and ruler YAML for alerts) and pipelines with mappings for   |             |
|                      |          |         | Grafana and promtail Sysmon data.                            |             |
| windows              | pipeline | stable  | Windows logsource to Channel field and generic logsource to  | yes         |
|                      |          |         | Windows audit events mapping.                                |             |
| sysmon               | pipeline | stable  | Mapping from generic log sources to Sysmon events.           | yes         |
| crowdstrike          | pipeline | stable  | Mapping from generic log sources to CrowdStrike events from  | yes         |
|                      |          |         | raw endpoint logs (FDR, Investigate).                        |             |
| ossem                | pipeline | devel   | Mapping from OSSEM to Sigma taxonomy.                        | no          |
| powershell           | backend  | testing | PowerShell backend converting into PowerShell queries.       | yes         |
| microsoft365defender | backend  | testing | Microsoft 365 Defender (formally mdatp) backend and pipeline | no          |
|                      |          |         | for conversion of log sources with Sysmon field schema to    |             |
|                      |          |         | Microsoft Advanced Hunting Queries in Kusto Query Language   |             |
|                      |          |         | (KQL)                                                        |             |
| hawk                 | backend  | testing | HAWK.io MDR backend and pipeline for conversion of log       | no          |
|                      |          |         | sources to HAWK.io BETree queries.                           |             |
| datadog              | backend  | testing | Datadog Cloud SIEM backend and pipeline for conversion of    | yes         |
|                      |          |         | log sources to Datadog Query Syntax                          |             |
+----------------------+----------+---------+--------------------------------------------------------------+-------------+
> sigma convert -t elasticsearch -p sysmon -p ecs_windows ~/Development/Tools/drp/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml
Usage: sigma convert [OPTIONS] INPUT...
Try 'sigma convert --help' for help.

Error: Invalid value for '--target' / '-t': 'elasticsearch' is not one of . - run sigma plugin list --plugin-type backend for a list of available plugins.
andurin commented 11 months ago

Same here. I have to admit, that I didn't test the latest elasticsearch backend regarding the sigma-cli usage. I guess the problem origins in the autoloader from pysigma which don't find the (now two) backends or I did some mistakes within the backend which resulting in 'hiding' from the autoloader.

Debug started... stay tuned.

thomaspatzke commented 11 months ago

Fixed it in the backend, the imports in the __init__.py of sigma.backends are required for the autodiscovery to work.