Conflicts merging in Sigma

[marcurdy]

Basic build process has conflicts. Attempted manually outside of the script.

$ /atomic-threat-coverage/detection_rules/sigma$ git pull origin master From https://github.com/Neo23x0/sigma

• branch master -> FETCH_HEAD Auto-merging tests/test_rules.py CONFLICT (content): Merge conflict in tests/test_rules.py Auto-merging rules/windows/sysmon/sysmon_apt_pandemic.yml Auto-merging rules/windows/process_creation/win_susp_process_creations.yml CONFLICT (content): Merge conflict in rules/windows/process_creation/win_susp_process_creations.yml Auto-merging rules/windows/process_creation/win_susp_net_execution.yml CONFLICT (content): Merge conflict in rules/windows/process_creation/win_susp_net_execution.yml Auto-merging rules/windows/process_creation/win_susp_fsutil_usage.yml CONFLICT (content): Merge conflict in rules/windows/process_creation/win_susp_fsutil_usage.yml Auto-merging rules/windows/process_creation/win_susp_eventlog_clear.yml CONFLICT (content): Merge conflict in rules/windows/process_creation/win_susp_eventlog_clear.yml Auto-merging rules/windows/process_creation/win_renamed_binary.yml CONFLICT (content): Merge conflict in rules/windows/process_creation/win_renamed_binary.yml Auto-merging rules/windows/process_creation/win_apt_zxshell.yml Auto-merging rules/windows/process_creation/win_apt_turla_commands.yml Auto-merging rules/windows/process_creation/win_apt_tropictrooper.yml Auto-merging rules/windows/process_creation/win_apt_sofacy.yml Auto-merging rules/windows/process_creation/win_apt_slingshot.yml Auto-merging rules/windows/process_creation/win_apt_hurricane_panda.yml Auto-merging rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml Auto-merging rules/windows/process_creation/win_apt_dragonfly.yml Auto-merging rules/windows/process_creation/win_apt_cloudhopper.yml Auto-merging rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml Auto-merging rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml Auto-merging rules/windows/builtin/win_susp_raccess_sensitive_fext.yml Auto-merging rules/windows/builtin/win_mal_service_installs.yml CONFLICT (content): Merge conflict in rules/windows/builtin/win_mal_service_installs.yml Auto-merging rules/windows/builtin/win_mal_creddumper.yml CONFLICT (content): Merge conflict in rules/windows/builtin/win_mal_creddumper.yml Auto-merging rules/windows/builtin/win_apt_stonedrill.yml Auto-merging rules/windows/builtin/win_apt_carbonpaper_turla.yml Auto-merging rules/windows/builtin/win_apt_apt29_tor.yml Auto-merging rules/network/net_apt_equationgroup_c2.yml Auto-merging rules/linux/lnx_apt_equationgroup_lnx.yml Auto-merging CHANGELOG.md Automatic merge failed; fix conflicts and then commit the result.

[yugoslavskiy]

Hello @marcurdy !

Sorry for the inconvenience.

This is caused by ongoing activities around the First OSCD Sprint and its PR to Sigma repo.

For now we are using oscd branch of Sigma repo to construct all mappings and create all entities. We do that mostly to have more analytics in the knowledge base, that we are visualising in public.

Yes, it has conflicts with master branch, and Sigma repo maintainers are working on it.

There are multiple solutions for that case:

1. hotfix: pull from oscd branch:

git pull origin oscd

2. waiting: just wait a bit for PR to be merged.

3. fixing on our side: we just switch everything back to master, decreasing amount of Detection Rules (mapped analytics in general).

What would be better to do? What do you guys think?

@marcurdy @mrblacyk @sn0w0tter

[marcurdy]

I found that deleting the git files from the sigma parent directory and doing a fresh clone of sigma works, but anything you want merged is lost.

[yugoslavskiy]

Great 👍

Since you've solved the issues on your side already, I think it make sense to close it.