theflakes

Need to think about this. Category is broader than the other two. I may want to make this the last option actually.

I'm not sure when I'll return to working on this unfortunately. I've moved to other solutions for rule writing. There are just too many logic limitations with OSSEC/Wazuh rules that...

Still supporting legacy Wazuh rules but mostly in teaching labs. Using Sigma in SecurityOnion playbooks. Also using Elastalert and ELK alerts. No perfect solution that's open unfortunately. Wazuh still does...

I added a filter to filter out any "1 of" that also includes "and" logic. This removes ~ 460 Sigma rules from conversion. This won't fix all of the logic...

I've implemented `not` propagation so that everything that is negated is explicitly so; e.g. `not (selection and other)` -> `not selection and not other`. This should remove some negation conversion...

> @theflakes, What if you split all conditions into separate rules and сombine it at the end. > > ``` > > selection_pe|selection_script|selection_juicypotato_enum > (?i)HotPotatoes6 > > > selection_pe|selection_script|selection_juicypotato_enum >...

Rule is probably too much for wazuh, you'll need to either not use that rule, break it into a couple rules, or use a CDB file, see: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html

The other option is to add the Sigma rule ID to the ini config to skip it.

I can try at some point but its beyond my capabilities unfortunately. When I get some more time, I'll keep digging into it. Thanks

I won't be getting back to this for a while most likely. That file its complaining about is a file used for tracking rules from one run of the script...