kunai icon indicating copy to clipboard operation
kunai copied to clipboard
verified publisher icon kunai-project

[featurerequest] validate config option?

Open juju4 opened this issue 9 months ago • 7 comments

It would be useful to be able to validate config and eventually rules/ioc/... with a cli command. often tools have a dry-run/test/validate option that can be leveraged in orchestration tools like ansible to avoid detecting errors downstream.

if going further for rules/ioc/yara, it would be nice to be able to use sample logs to validate if triggering or not triggering a detection or if log is filtered out. something like

$ cat sample.log | kunai test -c /etc/kunai/config.yaml
Detection triggered on line x
$ cat sample.log | kunai test -c /etc/kunai/config.yaml
[...]
Output lines: 10
Filtered lines: 5

Easier for CI/CD too :)

juju4 avatar Mar 16 '25 21:03 juju4

Hey @juju4,

I think what you are looking for is partially implemented in the test command. If you want a CI/CD example of rule testing, you can take a look at: https://github.com/kunai-project/community-rules/blob/kunai-v0.5/.github/workflows/ci.yml.

So far testing neither work with IoCs nor for filters, yet that is something I can fix pretty quickly.

Another thing that may be interesting you is the replay command, as documented here: https://why.kunai.rocks/docs/cli#testing-rules--ioc-configuration.

About Yara rules scanning and actions in general, it is a bit trickier to test because it assumes that you need to have the files located at the exact same location as they appear in the kunai logs.

qjerome avatar Mar 17 '25 09:03 qjerome

so for rules, test option probably works. will review. for config, it does not "error: unexpected argument '-c' found". would expect a kunai validate -c /path/to/config.yaml

juju4 avatar Mar 23 '25 22:03 juju4

Example where error message could be better:

/usr/bin/kunai run -c /etc/kunai/config.yaml
Error: mapping values are not allowed in this context at line 43 column 42

[...]
 40     read:
 41         enable: false
 42     read_config:
 43         enable: true
 44     send_data:
 45         enable: false

juju4 avatar Mar 23 '25 22:03 juju4

Ok, if I summarize everything (feel free to correct), what you want is:

  1. being able to validate detection/filtering rules
  2. being able to validate IoCs
  3. being able to semantically validate a configuration file

qjerome avatar Mar 24 '25 08:03 qjerome

Example where error message could be better:

/usr/bin/kunai run -c /etc/kunai/config.yaml
Error: mapping values are not allowed in this context at line 43 column 42

[...]
 40     read:
 41         enable: false
 42     read_config:
 43         enable: true
 44     send_data:
 45         enable: false

This is a typical YAML de-serialization error ! I don't think there is much I can do about this one ...

qjerome avatar Mar 24 '25 08:03 qjerome

ok for deserialization. summary is good. per above, 1 is already possible, 2 nok but quick fix, 3 seems the only one missing. just a run initialization/check and quit after with appropriate exit code.

juju4 avatar Mar 30 '25 20:03 juju4

it seems the test rules is only for detection, it does not test the filters which would be nice to debug complex filters

juju4 avatar Apr 13 '25 20:04 juju4