search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

[bug] `level-tuning` command panics after `update-rules` #996

Closed fukusuket closed 1 year ago

fukusuket commented 1 year ago

Describe the bug level-tuning command panics after update-rules

I noticed it while running integration test. https://github.com/Yamato-Security/hayabusa/actions/runs/4650226668/jobs/8229083578

Step to Reproduce

./hayabusa update-rules
./hayabusa level-tuning -f ./rules/config/level_tuning.txt

Expected behavior level-tuning command success.

Actual behavior

fukusuke@fukusukenoAir hayabusa-2.3.2-all-platforms % ./hayabusa update-rules

╔╗ ╔╦═══╦╗  ╔╦═══╦══╗╔╗ ╔╦═══╦═══╗
║║ ║║╔═╗║╚╗╔╝║╔═╗║╔╗║║║ ║║╔═╗║╔═╗║
║╚═╝║║ ║╠╗╚╝╔╣║ ║║╚╝╚╣║ ║║╚══╣║ ║║
║╔═╗║╚═╝║╚╗╔╝║╚═╝║╔═╗║║ ║╠══╗║╚═╝║
║║ ║║╔═╗║ ║║ ║╔═╗║╚═╝║╚═╝║╚═╝║╔═╗║
╚╝ ╚╩╝ ╚╝ ╚╝ ╚╝ ╚╩═══╩═══╩═══╩╝ ╚╝
   by Yamato Security

Start time: 2023/04/10 22:25

 -  (Modified: - | Path: rules/config/logsource-mapping.yml)
 - Disable Windows Event Logging Via Registry (Modified: 2023/04/05 | Path: rules/sigma/sysmon/registry/registry_set/registry_set_disable_winevt_logging.yml)
 - Disable Windows Event Logging Via Registry (Modified: 2023/04/05 | Path: rules/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml)

Updated Other rules: 1
Updated Sigma rules: 2
Rules updated successfully.

fukusuke@fukusukenoAir hayabusa-2.3.2-all-platforms % ./hayabusa level-tuning -f ./rules/config/level_tuning.txt

╔╗ ╔╦═══╦╗  ╔╦═══╦══╗╔╗ ╔╦═══╦═══╗
║║ ║║╔═╗║╚╗╔╝║╔═╗║╔╗║║║ ║║╔═╗║╔═╗║
║╚═╝║║ ║╠╗╚╝╔╣║ ║║╚╝╚╣║ ║║╚══╣║ ║║
║╔═╗║╚═╝║╚╗╔╝║╚═╝║╔═╗║║ ║╠══╗║╚═╝║
║║ ║║╔═╗║ ║║ ║╔═╗║╚═╝║╚═╝║╚═╝║╔═╗║
╚╝ ╚╩╝ ╚╝ ╚╝ ╚╝ ╚╩═══╩═══╩═══╩╝ ╚╝
   by Yamato Security

Start time: 2023/04/10 22:25

thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', src/options/level_tuning.rs:71:73
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Environment

Additional context If I move the following yml, - (Modified: - | Path: rules/config/logsource-mapping.yml) No error occurs. So it seems that https://github.com/Yamato-Security/hayabusa-rules/pull/363 cause this error?

hitenkoku commented 1 year ago

@fukusuket Thanks for reporing issue. I would check it.

hitenkoku commented 1 year ago

@fukusuket I found the cause of the problem.

The reason is that config/logsource-mappaing.yml, which was not originally targeted by update-rules, is now targeted by update-rules. update-rules targets .yml files under rules.

conig/geoip_field_mapping.yaml is not the target of the change because it has a different extension.

I think the problem will be solved if you modify the following in hayabusa-rules instead of hayabusa.

logsource-mapping.yml -> logsource-mapping.yaml

fukusuket commented 1 year ago

Thank you so much for quick investigation!! I see, (I was wondering why it didn't occur with geoip_field_mapping.. w)