Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hayabusa should give a parsing error when reference rule is not found #1444

Closed
YamatoSecurity opened this issue Oct 14, 2024 · 1 comment · Fixed by #1449
Closed

Hayabusa should give a parsing error when reference rule is not found #1444

YamatoSecurity opened this issue Oct 14, 2024 · 1 comment · Fixed by #1449
Assignees
@fukusuket
Labels
invalid This doesn't seem right
Milestone
2.18.0 Sector Rel...

Comments

@YamatoSecurity
Copy link
Collaborator

@fukusuket

I noticed an issue when creating rules. It is a low priority issue but would be better to generate an error to make it easier to understand and avoid incorrect rules.

The following rule works correctly:

title: PW Guessing
id: 23179f25-6fce-4827-bae1-b219deaf563e
related:
    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
      type: obsolete
status: test
description: Detects password guessing attacks
references: https://attack.mitre.org/techniques/T1110/003/
author: Zach Mathis
date: 2024-10-13
modified: 2024-10-13
tags:
    - attack.t1110.003
    - attack.credential_access
correlation:
    type: event_count
    rules:
        - incorrect_password
    group-by:
        - TargetUserName
        - TargetDomainName
        - IpAddress
        - WorkstationName
        - LogonType
        - ProcessName
        - LogonProcessName
    timespan: 5m
    condition:
        gte: 5
falsepositives:
    - User mistyping password
level: medium
ruletype: Hayabusa

---

title: Failed Logon - Incorrect Password
id: 5b0b75dc-9190-4047-b9a8-14164cee8a31
name: incorrect_password
related:
    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
      type: obsolete
status: test
description: Detects a failed logon event due to a wrong password
references:
author: Zach Mathis
date: 2024-10-13
modified: 2024-10-13
tags:
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4625
        SubStatus: "0xc000006a" #Wrong password
    filter:
       IpAddress: "-"
    condition: selection and not filter
falsepositives:
level: informational
ruletype: Hayabusa

However, when i change:

    rules:
        - incorrect_password

to

    rules:
        - incorrect_password_does_not_exist

OR

    rules:
        - 5b0b75dc-9190-4047-b9a8-14164cee8a39 # this ID also does not exist

Hayabusa will not give a parsing error and will scan as if everything is fine. (Scanning with the info rule instead)

I would like to give the error The referenced rule was not found: incorrect_password_does_not_exist in order to make it easier to write rules.
@YamatoSecurity YamatoSecurity added the invalid This doesn't seem right label Oct 14, 2024
@fukusuket
Copy link
Collaborator

I see, It is better to have an error! I will fix it!💪

@fukusuket fukusuket added this to the 2.18.0 Sector Release milestone Oct 14, 2024
@fukusuket fukusuket mentioned this issue Oct 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
invalid This doesn't seem right
Projects
None yet
Milestone
2.18.0 Sector Release
Development

Successfully merging a pull request may close this issue.

fix: give a parsing error when correlation reference rule not found Yamato-Security/hayabusa
2 participants
@fukusuket @YamatoSecurity