Closed nbareil closed 1 year ago
Hi @nbareil,
So unfortunately not all the Sigma rules are written that well. The reason that Chainsaw won't parse this one into a Tau compatible format is because selection_conf
does not specify a field to search upon for the string Sysmon config state changed
.
If its intended behaviour for this rule to run upon all key value pairs within an event log entry then we can add support for that (it will be slow though) but I don't think that is what this rule is meant to do.
Let me know what you think.
Thanks for your fast answer Alex!
I know almost nothing about Sigma but from its specifications, this construction looks to be allowed by the language:
2.9.4. Lists Lists can contain:
- strings that are applied to the full log message and are linked with a logical 'OR'.
- maps (see below). All map items of a list are logically linked with 'OR'.
Example for list of strings: Matches on 'EvilService' or 'svchost.exe -n evil'
detection: keywords: - EVILSERVICE - svchost.exe -n evil
Now, as said, there are only 93 out of 2400 rules in SigmaHQ that do not parse, I don't think it is a big deal and I do not have any opinion if you should implement it or not, if you feel this change is more problematic than helpful, feel free to close this issue with WONTFIX 🤗
Kind regards
Exaclty, its allowed in their spec but its allows for inefficient rules to be written. It is basically saying look for those values anywhere in the entry (full log message). When we are processing structured data (like event logs, json, xml, etc) the concept of a full log message
does not really make sense, the author must has fields in mind they would like to match. I would argue that its lazy rule writing to not specify the fields that would would like to search on.
Thanks for your understanding, I will mark as won't fix unless a burning desire arises to need this feature.
Oh and the other ones that can't convert are usually using thinks like inefficient regex which Rust does not support. I will have another look again when I get time to see if I can easily get any of the final 93 in.
Hello there!
First time user of chainsaw, it has a tremendous potential! 🚀
I was trying to use it with the current version of Sigma and I've got 93 errors (out of >2400 rules so gg) at the lint step for "keyless identifiers cannot be converted".
Here is a minimalist example of such behaviour:
If I remove
selection_conf
part, it works:I wish I could help but I have zero knowledge in Rust:
https://github.com/WithSecureLabs/chainsaw/blob/6aa5ae5a39e14c2b47e21e71ff4f2c79a33075f4/src/rule/sigma.rs#L489