search

atc-project / atomic-threat-coverage

Actionable analytics designed to combat threats
Apache License 2.0
970 stars 157 forks source link

Output from Sigma to Markdown has too many escape characters #201

Closed auzroz closed 4 years ago

auzroz commented 4 years ago

When Splunk is the output, the markdown version of the query displays "\\" to escape a single backslash. This issue seems to be caused by the output of the p.communicate() in detectionrule.py (https://github.com/atc-project/atomic-threat-coverage/blob/master/scripts/detectionrule.py#L108).

We locally applied the following changes to address the issue:

# p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
# (query2, err) = p.communicate()

query2 = subprocess.getoutput(cmd)

# Wait for date to terminate. Get return returncode
# p_status = p.wait()
# p.wait()

""" Had to remove '-' due to problems with
Jinja2 variable naming,
e.g es-qs throws error 'no es variable'
"""

det_queries[query] = query2

I can open a PR if you'd like, not sure if there are any additional effects caused by this change.

sn0w0tter commented 4 years ago

Hey @auzroz Thanks for reporting! 20eaf64 contains a fix for this, will be merged to master with next update.