search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

[bug] `update-rules` command always output `You currently have the latest rules.` #1209

Closed fukusuket closed 11 months ago

fukusuket commented 11 months ago

Describe the bug update-rules command always output You currently have the latest rules.

Step to Reproduce

  1. unzip hayabusa2.10.0 release zip
  2. hayabusa update-rules

Expected behavior Updated rule name is output

% ./hayabusa update-rules
...
 - hoge
 - fuga

Updated Sigma rules: x
Rules updated successfully.

Actual behavior Updated rule name is not output

% ./hayabusa update-rules
...
You currently have the latest rules.

Environment

Additional context The standard output message output is incorrect, but the rule update was actually successful.

YamatoSecurity commented 11 months ago

@fukusuket Thanks for finding and fixing this! Is this just a bug in 2.10.0? It seems to be working up to 2.9.0:

./hayabusa-2.9.0-mac-intel update-rules

╔╗ ╔╦═══╦╗  ╔╦═══╦══╗╔╗ ╔╦═══╦═══╗
║║ ║║╔═╗║╚╗╔╝║╔═╗║╔╗║║║ ║║╔═╗║╔═╗║
║╚═╝║║ ║╠╗╚╝╔╣║ ║║╚╝╚╣║ ║║╚══╣║ ║║
║╔═╗║╚═╝║╚╗╔╝║╚═╝║╔═╗║║ ║╠══╗║╚═╝║
║║ ║║╔═╗║ ║║ ║╔═╗║╚═╝║╚═╝║╚═╝║╔═╗║
╚╝ ╚╩╝ ╚╝ ╚╝ ╚╝ ╚╩═══╩═══╩═══╩╝ ╚╝
   by Yamato Security

Start time: 2023/11/05 08:19

 - Suspicious Non-Browser Network Communication With Google API (Modified: 2023/11/03 | Path: rules/sigma/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml)
 - Obfuscated IP Download Activity (Modified: 2023/10/29 | Path: rules/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml)
 - Uncommon PowerShell Hosts (Modified: 2023/11/03 | Path: rules/sigma/builtin/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml)
 - Obfuscated IP Download Activity (Modified: 2023/10/29 | Path: rules/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml)

Updated Sigma rules: 4
Rules updated successfully.

There is a new version of Hayabusa: v2.10.0
You can download it at https://github.com/Yamato-Security/hayabusa/releases
fukusuket commented 11 months ago

@YamatoSecurity Thank you for checking issue :) Yes, this is an issue that only occurs in 2.10.0. (This is because after implementing the Scan Wizard feature, it is necessary to internally specify that all rules are targeted when executing the update-rules command.)