Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] "Invalid condition" when editing a sigma rule that uses wildcard notation #772

Closed
tallyoh opened this issue Oct 11, 2023 · 3 comments
Closed

[BUG] "Invalid condition" when editing a sigma rule that uses wildcard notation #772

tallyoh opened this issue Oct 11, 2023 · 3 comments
Labels
bug Something isn't working untriaged

Comments

@tallyoh
Copy link

tallyoh commented Oct 11, 2023

What is the bug?
When you clone/edit an existing simga rule using the dashboard GUI - there are many rules which use a wildcard pattern notation in the conditional. (see screenshots). You cannot edit/save these rules because the dashboard GUI validation thinks this notation is invalid. Additionally, if you want to modify a rule and use wildcard notation - youcannot save the change using the dashboard gui.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Clone and edit a rule which contains wildcard notation
  2. Try saving the rule and you will see the red error text preventing continuation
  3. See screenshot below.

What is the expected behavior?
A clear and concise description of what you expected to happen.

What is your host/environment?

  • OS: 2.10 fresh install with security analytics plugin

Do you have any screenshots?
image
image
@tallyoh tallyoh added bug Something isn't working untriaged labels Oct 11, 2023
@tallyoh
Copy link
Author

tallyoh commented Oct 13, 2023

I am not sure if I should open a seperate ticket - but I found a couple more instances where the GUI validation seems to not play well with the SIGMA rule editor screen. Rather than opening a new ticket to provide the new information I thought I would start by adding it here.

Getting a validation error when editing a clone of a rule for some author names:

image

@tallyoh
Copy link
Author

tallyoh commented Oct 13, 2023

Also getting the following GUI validation error on certaing rule where the tag: field within the rule starts with something other than "attack."

image

@tallyoh
Copy link
Author

tallyoh commented Oct 13, 2023

One really important note is that when these errors occur in the GUI - although you can go to the yaml edit view and seem to be able to continue - the rules then dont seem to take effect.

It suspect that when you click save - this triggers some background task that generates/saves the actual search query text for opensearch to monitor every x minutes for each sigma rule. For the rules that have validation errors in the GUI - it seems that no search query is generated - therefore no detections are made for that rule. The other (untouched) rules in the detector seem to work. I have seen this happen a couple of times now on different rules - but I'm still a little unclear about the exact sequence of events in the gui that cause it

if you do not try editing a sigma rule clone - then it seems to work ok. But once you edit a rule and get a gui validation error - then that individual rule seems effectively absent even though it is listed for the detector.

Thank you

@amsiglan amsiglan transferred this issue from opensearch-project/security-analytics Oct 26, 2023
@amsiglan amsiglan mentioned this issue Nov 16, 2023
Merged
1 task
@amsiglan amsiglan mentioned this issue Mar 22, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tallyoh @amsiglan