Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIGMA parser error on filter containing CIDR directive #2971

Open
FrankShorty opened this issue Nov 3, 2023 · 3 comments
Open

SIGMA parser error on filter containing CIDR directive #2971

FrankShorty opened this issue Nov 3, 2023 · 3 comments
Assignees
@jaegeral
Labels
Bug

Comments

@FrankShorty
Copy link

Describe the bug
In the SIGMA parser on the TSCTL importer, there are certain filters that are not supported by Timesketch. These are removed from the YAML data on load.

However, when attempting to load a SIGMA rule containing a filter on a CIDR block, the parser throws a key error:

  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 86, in parse_definition
    value = apply_modifiers(value, modifiers)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/modifiers/discovery.py", line 36, in apply_modifiers
    value = modifiers[modifier](value).apply()
KeyError: 'cidr'

Example sigma rule:
External Remote SMB Logon from Public IP

In the above SIMGA, there is a Modifier for the IPv4 filter:

    filter_ipv4:
        IpAddress|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'

This gets parsed by the importer as:
filter_ipv4': {'IpAddress|cidr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']}
Resulting in the key error (cidr is not a key in the above DICT, but that key is expected by the SIGMA parser).

We have not been able to locate exactly what needs to be fixed to support the import of SIGMA rules with a CIDR filter.
In addition to that, it would be nice if the importer would catch these errors, rather than raise them, so the import of working rules continues.

To Reproduce
Steps to reproduce the behavior:

  1. Download the mentioned SIGMA rule into the Timesketch Sigma folder
  2. run the TSCL import_sigma_rules on the SIGMA folder
  3. See error

Expected behavior
We expected the SIGMA rule to be imported without error.
@FrankShorty FrankShorty added the Bug label Nov 3, 2023
@jaegeral
Copy link
Collaborator

jaegeral commented Nov 7, 2023

Have you tried the same adding the Sigma rule with web ui?

@FrankShorty
Copy link
Author

image

That results in a Server Side Error:

 timesketch.app/ERROR Exception on /api/v1/sigmarules/text/ [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/flask_login/utils.py", line 290, in decorated_view
    return current_app.ensure_sync(func)(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/timesketch/api/v1/resources/sigma.py", line 310, in post
    sigma_rule = ts_sigma_lib.parse_sigma_rule_by_text(content)
  File "/usr/local/lib/python3.10/dist-packages/timesketch/lib/sigma_util.py", line 253, in parse_sigma_rule_by_text
    parser = sigma_collection.SigmaCollectionParser(
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/collection.py", line 62, in __init__
    self.parsers.append(SigmaParser(yamldoc, config))
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 29, in __init__
    self.parse_sigma()
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 53, in parse_sigma
    condparsed = SigmaConditionParser(self, tokens)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 502, in __init__
    self.parsedSearch = self.parseSearch(tokens)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 565, in parseSearch
    treenode = operator[2](self.sigmaParser, tok_op, tok_val)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 297, in generateOneOf
    return generateXOf(sigma, val, ConditionOR)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/condition.py", line 284, in generateXOf
    cond.add(NodeSubexpression(sigma.parse_definition(definition)))
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/rule.py", line 86, in parse_definition
    value = apply_modifiers(value, modifiers)
  File "/usr/local/lib/python3.10/dist-packages/sigma/parser/modifiers/discovery.py", line 36, in apply_modifiers
    value = modifiers[modifier](value).apply()
KeyError: 'cidr'

@jaegeral
Copy link
Collaborator

jaegeral commented Nov 9, 2023

Hm but as far as I understand the error message, this is due to the Sigma parser itself, that we import, not anything Timesketch implements. (it might have been fixed with a later version of Sigma, I haven't updated the module in a while)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaegeral jaegeral

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaegeral @FrankShorty