theflakes
commented
2 years ago Hey, thanks for playing with this. I haven't had time to do anything with it for quite a while unfortunately.
I think the errors are for some sigma rules that have multiple yaml docs in the same file. Haven't trapped for that problem yet.
To try them in Wazuh you need to put them in that directory. You can put them in the existing rules file or create a new file. Then restart wazuh.
Please note that there are logic errors that the script will still produce converting sigma logic to wazuh logic that I haven't fixed yet either due to time unfortunately. Problems are with sigma rules with more complex logic.
Hi @theflakes!
Very great project, thanks already in advance, saves a lot of work :) Working with Wazuh 4.2.5.
Having following issue:
[root@x sigma_to_wazuh]# python3 get-wazuh_rule_info.py ERROR: unable to load /var/ossec/ruleset/rules/0770-gitlab_rules.xmli -> not well-formed (invalid token): line 154, column 139 ERROR: unable to load /var/ossec/ruleset/rules/0850-audit_rules.xmli -> not well-formed (invalid token): line 22, column 980 ERROR: unable to load /var/ossec/ruleset/rules/0910-ms-exchange-proxylogon_rules.xmli -> not well-formed (invalid token): line 63, column 60 Traceback (most recent call last): File "get-wazuh_rule_info.py", line 114, in
main()
File "get-wazuh_rule_info.py", line 109, in main
report.parse_rules()
File "get-wazuh_rule_info.py", line 78, in parse_rules
description = description.replace('"', '""') # one rule has quotes in the description, need to escap them
AttributeError: 'NoneType' object has no attribute 'replace'
When the sigma.xml is generated should I put it in /var/ossec/etc/rules? Or how to proceed after the sigma.xml is generated?
Thanks.