Something went wrong

[webhead404]

When exporting a valid sigma rule to any of the options available I am presented with a message that says "Something went wrong" None of the other options work. I am using Elastic Stack 6.4.2.

[jasonazzarella]

There's a lot of hardcoded stuff in here as part of the converting.

Here are some tips based on looking at my logging from plugins/socprime_sigma_ui/server/translation_script/sigma/sigma_converter.log

A lot of stuff points back to files such as plugins/socprime_sigma_ui/server/translation_script/sigma/sigma_converter.py stating that it is looking for python in the wrong directories. Some of these are setup to specifically target /usr/bin/python3.6 or /usr/local/bin/python3.6. I went through all of them and changed them to my /usr/bin/python3 location which resolved the execution side.

You will also want to confirm where your kibana instance is as the execution will target /usr/share/kibana. I usually dump things in /opt/ so I had to fix that hardcoding as well. File location was plugins/socprime_sigma_ui/server/routes/sigma/get-translation.js

Now everything is working a-ok :)

[webhead404]

Do you remember which files in which directory point to the wrong Python version? I looked at the main python sigma.py script and changed it but there might be more. My kibana target is correct so I am good there.

[jasonazzarella]

You can run a recursive grep from your kibana/plugins/socprime_sigma_ui directory if you are on a *nix box.

grep -r "python3.6" .

When I run it, i get the following (because the comments still have 3.6 in the name)

./translation_script/sigma/sigma_converter.py ./translation_script/sigma_old/sigma_converter.py: ./translation_script/sigma_old/sigma_converter.py_old: ./translation_script/sigma_old/sigmaUpdate.py: ./translation_script/sigma_old/sigmaUpdate.py: ./translation_script/sigma_old/sigmaUpdate_translations.py:

You might get a few more than me but it's a quick way to find what files to poke at. If you want to specifically just find all the files, you can add an awk in there and just pull out the first variable.

grep -r "python3.6" . | awk {'print $1'}

[socprime]

Thank you for your report! There are many things to fix in our app, thank you for your time to add this issue. We have already added tasks to backlog for removing hard coded stuff from our app and will implement them as soon as possible.

[pritster5]

I'm still facing this issue after altering the python path to python 3 instead of python 3.6. Is the sigmac that is shipped with the plugin still valid? @jasonazzarella @socprime

[pritster5]

I have also updated the tools folder to use the latest files from https://github.com/SigmaHQ/sigma and the issue of "Something went wrong" still persists. @jasonazzarella @socprime

[pritster5]

Found an issue: In /usr/share/kibana/plugins/socprime_sigma_ui/server/translation_script/sigma/ the tmp_sigma.txt and sigma_converter.log file don't have the necessary permissions by default, which causes sigmac to fail when called.

You can fix this by chmod'ing them both to 755 (full permissions).

[pritster5]

Furthermore, ruamel.yaml NEEDS to be installed for sigmac.py to function correctly: sudo pip3 install ruamel.yaml and sudo pip install ruamel.yaml will fix the below issue:

[2022-01-19 18:24:04,829][sigma_converter][ERROR] 'File access error' Traceback (most recent call last):
File "/usr/share/kibana/plugins/socprime_sigma_ui/server/translation_script/sigma/tools/sigmac", line 3, in <module> from sigma.sigmac import main
File "/usr/share/kibana/plugins/socprime_sigma_ui/server/translation_script/sigma/tools/sigma/sigmac.py", line 21, in <module>
import ruamel.yaml
ModuleNotFoundError: No module named 'ruamel'