-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGMA parser error on filter containing CIDR directive #2971
Labels
Comments
Have you tried the same adding the Sigma rule with web ui? |
Hm but as far as I understand the error message, this is due to the Sigma parser itself, that we import, not anything Timesketch implements. (it might have been fixed with a later version of Sigma, I haven't updated the module in a while) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In the SIGMA parser on the TSCTL importer, there are certain filters that are not supported by Timesketch. These are removed from the YAML data on load.
However, when attempting to load a SIGMA rule containing a filter on a CIDR block, the parser throws a key error:
Example sigma rule:
External Remote SMB Logon from Public IP
In the above SIMGA, there is a Modifier for the IPv4 filter:
This gets parsed by the importer as:
filter_ipv4': {'IpAddress|cidr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']}
Resulting in the key error (cidr is not a key in the above DICT, but that key is expected by the SIGMA parser).
We have not been able to locate exactly what needs to be fixed to support the import of SIGMA rules with a CIDR filter.
In addition to that, it would be nice if the importer would catch these errors, rather than raise them, so the import of working rules continues.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
We expected the SIGMA rule to be imported without error.
The text was updated successfully, but these errors were encountered: