Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Panic occurs when a non-existent Data field is specified in details of a rule #1215

Closed
fukusuket opened this issue Nov 12, 2023 · 0 comments · Fixed by #1216
Closed

[bug] Panic occurs when a non-existent Data field is specified in details of a rule #1215

fukusuket opened this issue Nov 12, 2023 · 0 comments · Fixed by #1216
Assignees
@fukusuket
Labels
bug Something isn't working
Milestone
v2.10.1

Comments

@fukusuket
Copy link
Collaborator

Describe the bug
Normally, an existing Data field index is specified in details, but in rare cases (e.g. JSON input), there is no Data field, which causes a panic.

Step to Reproduce

  1. Save the following rule with the file name test.yml.
author: TEST
date: 2023/11/12
modified: 2023/11/12

title: 'PwShClassic'
details: 'Data: %Data[2]%'
description: 'TEST'

id: ac2ae63b-83e6-4d06-aeaf-07409bda92c9
level: informational
status: test
logsource:
    product: windows
    service: powershell
detection:
    selection:
        Channel: 'Windows PowerShell'
    condition: selection
falsepositives:
tags:
references:
ruletype: Hayabusa
  1. Download apt29_evals_day1_manual.zip and unzip.
  2. ./hayabusa-2.10.0-mac-arm csv-timeline -f ../apt29_evals_day1_manual_2020-05-01225525.json -J -r test.yml -w -q

Actual behavior
panic occurs as follows:

% ./hayabusa-2.10.0-mac-arm csv-timeline -f ../apt29_evals_day1_manual_2020-05-01225525.json -J -r test.yml -w -q
Start time: 2023/11/12 21:57

Total event log files: 1
Total file size: 385.3 MB


Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Hayabusa rules: 1
Total enabled detection rules: 1

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 0 / 1 ⠁ [                                        ] 0%

"../apt29_evals_day1_manual_2020-05-01225525.json"                                                                                             thread 'hayabusa-thread' panicked at src/detections/message.rs:324:18:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at src/detections/detection.rs:176:41:
called `Result::unwrap()` on an `Err` value: JoinError::Panic(Id(1009), ...)

Expected behavior
panic does not occur.

Environment

  • OS: macOS sonoma 14.0
  • hayabusa version 2.10.0 (I haven't confirmed this, but it seems like this is probably an issue that existed in previous versions)
@fukusuket fukusuket added the bug Something isn't working label Nov 12, 2023
@fukusuket fukusuket self-assigned this Nov 12, 2023
@fukusuket fukusuket mentioned this issue Nov 12, 2023
Merged
@hitenkoku hitenkoku added this to the v2.10.1 milestone Dec 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.10.1
Development

Successfully merging a pull request may close this issue.

fix: added initial value when there is no Data field Yamato-Security/hayabusa
2 participants
@hitenkoku @fukusuket