From 7f93d3ca47ea9ea20e652b98b44d4e28b770d5f6 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 23 Oct 2017 00:45:01 +0200 Subject: [PATCH] Kibana backend throws exception when multiple indices appear * Introduced backend errors with handling in sigmac --- Makefile | 12 +++++++----- tools/backends.py | 13 ++++++++++--- tools/sigmac.py | 5 +++++ 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 03dc98cf0..8940284eb 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,7 @@ test-sigmac: coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null + coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null coverage run -a --include=tools/* tools/sigmac.py -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null coverage run -a --include=tools/* tools/sigmac.py -rvdI -t grep rules/ > /dev/null @@ -27,9 +28,10 @@ test-sigmac: ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/not_existing.yml > /dev/null ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_yaml.yml > /dev/null ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null - ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml - ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! coverage run -a --include=tools/* tools/sigmac.py -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null coverage report --fail-under=80 diff --git a/tools/backends.py b/tools/backends.py index d883d9c75..fc3f243bb 100644 --- a/tools/backends.py +++ b/tools/backends.py @@ -336,8 +336,7 @@ class KibanaBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): for index in indices: final_rulename = rulename if len(indices) > 1: # add index names if rule must be replicated because of ambigiuous index patterns - final_rulename += "-" + indexname - title = "%s (%s)" % (sigmaparser.parsedyaml["title"], index) + raise NotSupportedError("Multiple target indices are not supported by Kibana") else: title = sigmaparser.parsedyaml["title"] try: @@ -576,7 +575,6 @@ class GrepBackend(BaseBackend, QuoteCharMixin): def generateValueNode(self, node): return self.cleanValue(str(node)) - ### Backends for developement purposes class FieldnameListBackend(BaseBackend): @@ -622,3 +620,12 @@ def flatten(l): yield from flatten(i) else: yield i + +# Exceptions +class BackendError(Exception): + """Base exception for backend-specific errors.""" + pass + +class NotSupportedError(BackendError): + """Exception is raised if some output is required that is not supported by the target language.""" + pass diff --git a/tools/sigmac.py b/tools/sigmac.py index 7c31ef1da..152a82cc9 100755 --- a/tools/sigmac.py +++ b/tools/sigmac.py @@ -101,6 +101,11 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): error = 4 if not cmdargs.defer_abort: sys.exit(error) + except backends.BackendError as e: + print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + error = 8 + if not cmdargs.defer_abort: + sys.exit(error) except NotImplementedError as e: print("An unsupported feature is required for this Sigma rule: " + str(e), file=sys.stderr) print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)