Error when importing with TechniqueSigmaRules plugin
Closed this issue · 6 comments
Hi,
I am experiencing an issue when I am trying to update an existing technique administration file using the plugin TechniqueSigmaRules. However, it works fine when I am generating a new administration file (dettect = DettectTechniquesAdministration()). The technique administration file is standard and was generated using DeTTECT.
Do you happen to have the same issue?
Code:
import_sigma = TechniqueSigmaRules(parameters)
techniques = import_sigma.get_attack_techniques(['Windows', 'all'])
print(json.dumps(techniques, indent=4))
#dettect = DettectTechniquesAdministration()
dettect = DettectTechniquesAdministration('test.yaml')
dettect.update_detections(techniques, False, False, '', False, False)
#dettect.save_yaml_file('hi.yaml')Content of techniques:
{
"Accesschk Usage To Check Privileges": {
"applicable_to": [
"Windows",
"all"
],
"location_prefix": "",
"techniques": [
"T1069.001"
]
}
}
Error:
File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 303, in update_detections
warnings, results = self._add_rules(detection_rules, date_today)
File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in _add_rules
applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in <listcomp>
applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
TypeError: string indices must be integers
hi @AlphaCorvus
I tried to reproduce the error with your code, but on my side both the creation of a new file as updating a file works fine.
However I am able to reproduce the error when consciously introducing a semantic error in the YAML. So I would advise you to check the exusting test.yaml file for errors. Especially checking if all techniques does have a detection object and that all detection objects do have one or more applicable_to objects. You can also use DeTT&CT to check the health of a YAML file:
$ python dettect.py d -ft test.yaml --health
It will then give you an overview of existing errors in the YAML file.
Please let me know if this will tackles your problem.
Hi @rubinatorz,
Thanks for reviewing this issue. Actually, I am generating the techniques administration file out of the command from DeTTECT ds -fd /opt/DeTTECT/input/datasources_file.yaml --yaml --yaml-all-techniques. It appears that the YAML could be different than one YAML created from dettectinator. By any chance, do you observe the same?
As a workaround, I am considering to create my techniques admin file from dettectinator, than update the visibility using the datasources file.
Quick update @rubinatorz,
Unfortunately, it didn't do the trick. I am unable to update a file created from DeTT&CK (--yaml --yaml-all-techniques) using dettectinator (admin file). I checked for semantic errors and health of the YAML is fine.
My workaround can be applied, some visibility are missing where no detection is available for a given techniques.
Hi @AlphaCorvus
I just found the error and I'm trying to fix it. Within the next hour I expect a fix to be pushed. I'll let you know.
Cheers
hi @AlphaCorvus
The thing was that DeTT&CT supports a detection object in the YAML file being a list or a dict (just one entry). Dettectinator only supported detection objects being a list. I fixed it on both sides. So in DeTT&CT by default detection objects are now lists. So when pulling the latest changes from DeTT&CT repo and then generating your YAML file again will give you a proper YAML file having detection objects that are lists. I also fixed it in dettectinator. Dettectinator now converts single entry detection objects (dict) to a list. So you can also pull the latest version from dettectinator repo.
Good luck!
Thank you so much @rubinatorz! - It runs smoothly, nice work! 👍