sigma rules

[splunk-user1]

As suggested in the how-to document, I cloned sigma rules on the host at location /opt/timesketch/data/

Q: how would it get replicated to celery worker and webserver docker containers SIGMA_RULES_FOLDERS = ['/etc/timesketch/sigma/rules/'] ? Which shows default rule Suspicious Installation of Zenmap saved in the above path of both the containers. Thanks

[jaegeral]

can you post an file listing of opt/timesketch/data/ This directory is not on the host but on the docker container that runs celery and webserver.

Also note that it is currently not recommended to just clone all upstream sigma rules. This will cause performance issues and a lot of rules do simply not work.

[splunk-user1]

Both celery_worker & web_server shows 0 files in /opt dir

root@*******:/# ls -l opt/
total 0

This is the dir content on the host

root@ubuntu:~# ls -l /opt/timesketch/data/
total 12
drwxr-xr-x  3 ts1 root 4096 Sep 15 08:06 elasticsearch
drwx------ 19    70 root 4096 Sep 25 07:31 postgresql
drwxr-xr-x 11 root  root 4096 Sep 17 05:44 sigma

[jaegeral]

hm what does ls /etc/timesketch/sigma/rules/on root@*******: show? That is where you need to be able to see the files as it is indicated in your config file.