Kibana backend throws exception when multiple indices appear
* Introduced backend errors with handling in sigmac
This commit is contained in:
Thomas Patzke
@@ -18,6 +18,7 @@ test-sigmac:
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
|
||||
coverage run -a --include=tools/* tools/sigmac.py -rvdI -t grep rules/ > /dev/null
|
||||
@@ -27,9 +28,10 @@ test-sigmac:
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/not_existing.yml > /dev/null
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_yaml.yml > /dev/null
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
||||
! coverage run -a --include=tools/* tools/sigmac.py -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
|
||||
coverage report --fail-under=80
|
||||
|
||||
+10
-3
@@ -336,8 +336,7 @@ class KibanaBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
|
||||
for index in indices:
|
||||
final_rulename = rulename
|
||||
if len(indices) > 1: # add index names if rule must be replicated because of ambigiuous index patterns
|
||||
final_rulename += "-" + indexname
|
||||
title = "%s (%s)" % (sigmaparser.parsedyaml["title"], index)
|
||||
raise NotSupportedError("Multiple target indices are not supported by Kibana")
|
||||
else:
|
||||
title = sigmaparser.parsedyaml["title"]
|
||||
try:
|
||||
@@ -576,7 +575,6 @@ class GrepBackend(BaseBackend, QuoteCharMixin):
|
||||
def generateValueNode(self, node):
|
||||
return self.cleanValue(str(node))
|
||||
|
||||
|
||||
### Backends for developement purposes
|
||||
|
||||
class FieldnameListBackend(BaseBackend):
|
||||
@@ -622,3 +620,12 @@ def flatten(l):
|
||||
yield from flatten(i)
|
||||
else:
|
||||
yield i
|
||||
|
||||
# Exceptions
|
||||
class BackendError(Exception):
|
||||
"""Base exception for backend-specific errors."""
|
||||
pass
|
||||
|
||||
class NotSupportedError(BackendError):
|
||||
"""Exception is raised if some output is required that is not supported by the target language."""
|
||||
pass
|
||||
|
||||
@@ -101,6 +101,11 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
|
||||
error = 4
|
||||
if not cmdargs.defer_abort:
|
||||
sys.exit(error)
|
||||
except backends.BackendError as e:
|
||||
print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
|
||||
error = 8
|
||||
if not cmdargs.defer_abort:
|
||||
sys.exit(error)
|
||||
except NotImplementedError as e:
|
||||
print("An unsupported feature is required for this Sigma rule: " + str(e), file=sys.stderr)
|
||||
print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)
|
||||
|
||||
Reference in New Issue
Block a user