You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Run tsctl import-sigma-rules [location_of_rule]/proc_creation_lnx_gtfobin_vim.yml
See error:
yaml.parser.ParserError: while parsing a flow mapping
in "<unicode string>", line 1, column 1:
{'title': 'Vim GTFOBin Abuse - L ...
^
expected ',' or '}', but got '<scalar>'
in "<unicode string>", line 1, column 151:
... 'Detects usage of "vim" and it\'s siblings as a GTFOBin to execu ...
Expected behavior
Successful import of rule
Additional context
I think the problem here lies in line 250 to 255 of sigma_util.py:
Describe the bug
In certain cases, the import of Sigma rules fails, especially when they contain characters like
'
.To Reproduce
Steps to reproduce the behavior:
tsctl import-sigma-rules [location_of_rule]/proc_creation_lnx_gtfobin_vim.yml
Expected behavior
Successful import of rule
Additional context
I think the problem here lies in line 250 to 255 of
sigma_util.py
:timesketch/timesketch/lib/sigma_util.py
Lines 250 to 255 in 57c585c
in connection with line 32 to 36 of
tools/sigma/parser/collection.py
in thesigmatools
package:The function is called twice on the same input (once in
sigma_util.py
, once incollection.py
). The "double-escaping" seems to lead to a ParserError.The text was updated successfully, but these errors were encountered: