You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
there seem to be an issue with the translation of the sigma rule and security onion 2.4.80
the screenshot above show the rule below being converted
This rule when is being translate cause a lot false positive due the missing translation which do not filter the TargetObject|contains|all as the sigma rule specified , if I convert it manually using the sigma rule python script it convert it correctly example
sigma convert --without-pipeline -t elasticsearch -f default rule.yml the result is
(TargetObject:SYSTEM\ AND TargetObject:ControlSet AND TargetObject:\Control\Lsa) AND (TargetObject:(*\lmcompatibilitylevel OR *\NtlmMinClientSec OR *\RestrictSendingNTLMTraffic))
Guidelines
I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.80
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
16
RAM
512
Storage for /
100
Storage for /nsm
1tb
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hi Security onion team,
there seem to be an issue with the translation of the sigma rule and security onion 2.4.80
the screenshot above show the rule below being converted
This rule when is being translate cause a lot false positive due the missing translation which do not filter the TargetObject|contains|all as the sigma rule specified , if I convert it manually using the sigma rule python script it convert it correctly example
sigma convert --without-pipeline -t elasticsearch -f default rule.yml
the result is
(TargetObject:SYSTEM\ AND TargetObject:ControlSet AND TargetObject:\Control\Lsa) AND (TargetObject:(*\lmcompatibilitylevel OR *\NtlmMinClientSec OR *\RestrictSendingNTLMTraffic))
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions