search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.58k stars 587 forks source link

SIGMA parser error on filter containing CIDR directive #2971

Open FrankShorty opened 11 months ago

FrankShorty commented 11 months ago

Describe the bug In the SIGMA parser on the TSCTL importer, there are certain filters that are not supported by Timesketch. These are removed from the YAML data on load.

However, when attempting to load a SIGMA rule containing a filter on a CIDR block, the parser throws a key error:

  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 86, in parse_definition
    value = apply_modifiers(value, modifiers)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/modifiers/discovery.py", line 36, in apply_modifiers
    value = modifiers[modifier](value).apply()
KeyError: 'cidr'

Example sigma rule: External Remote SMB Logon from Public IP

In the above SIMGA, there is a Modifier for the IPv4 filter: 

    filter_ipv4:
        IpAddress|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'

This gets parsed by the importer as: filter_ipv4': {'IpAddress|cidr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']} Resulting in the key error (cidr is not a key in the above DICT, but that key is expected by the SIGMA parser).

We have not been able to locate exactly what needs to be fixed to support the import of SIGMA rules with a CIDR filter. In addition to that, it would be nice if the importer would catch these errors, rather than raise them, so the import of working rules continues.

To Reproduce Steps to reproduce the behavior:

  1. Download the mentioned SIGMA rule into the Timesketch Sigma folder
  2. run the TSCL import_sigma_rules on the SIGMA folder
  3. See error

Expected behavior We expected the SIGMA rule to be imported without error.

jaegeral commented 10 months ago

Have you tried the same adding the Sigma rule with web ui?

FrankShorty commented 10 months ago
image

That results in a Server Side Error:

 timesketch.app/ERROR Exception on /api/v1/sigmarules/text/ [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask_login/utils.py", line 290, in decorated_view
    return current_app.ensure_sync(func)(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/timesketch/api/v1/resources/sigma.py", line 310, in post
    sigma_rule = ts_sigma_lib.parse_sigma_rule_by_text(content)
  File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/sigma_util.py", line 253, in parse_sigma_rule_by_text
    parser = sigma_collection.SigmaCollectionParser(
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/collection.py", line 62, in __init__
    self.parsers.append(SigmaParser(yamldoc, config))
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 29, in __init__
    self.parse_sigma()
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 53, in parse_sigma
    condparsed = SigmaConditionParser(self, tokens)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 502, in __init__
    self.parsedSearch = self.parseSearch(tokens)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 565, in parseSearch
    treenode = operator[2](self.sigmaParser, tok_op, tok_val)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 297, in generateOneOf
    return generateXOf(sigma, val, ConditionOR)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 284, in generateXOf
    cond.add(NodeSubexpression(sigma.parse_definition(definition)))
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 86, in parse_definition
    value = apply_modifiers(value, modifiers)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/modifiers/discovery.py", line 36, in apply_modifiers
    value = modifiers[modifier](value).apply()
KeyError: 'cidr'
jaegeral commented 10 months ago

Hm but as far as I understand the error message, this is due to the Sigma parser itself, that we import, not anything Timesketch implements. (it might have been fixed with a later version of Sigma, I haven't updated the module in a while)