sigma_to_wazuh icon indicating copy to clipboard operation
sigma_to_wazuh copied to clipboard

Published 20 hours ago verified publisher icon theflakes

Script does not work

Open irfaan0999 opened this issue 1 year ago • 4 comments

Hello bro,

The script sigma_to_wazuh.py does not work. I tried using different machines and python versions. Here is the error:

[root@localhost sigma_to_wazuh]# python3 sigma_to_wazuh.py [!] ERROR loading rule id tracking file: ./rule_ids.json Traceback (most recent call last): File "sigma_to_wazuh.py", line 961, in main() File "sigma_to_wazuh.py", line 935, in main conditions = convert.fixup_condition(sigma_rule['detection']['condition']) TypeError: string indices must be integers

Possible to fix the script plz?

Regards,

irfaan0999 avatar May 31 '23 11:05 irfaan0999

I won't be getting back to this for a while most likely. That file its complaining about is a file used for tracking rules from one run of the script to another. You can try deleting it, no idea if that will fix it though.

theflakes avatar Jun 01 '23 18:06 theflakes

Hello bro,

I deleted it but it is not working :(

What should the file contain? Do you have a copy?

irfaan0999 avatar Jun 07 '23 12:06 irfaan0999

Took a quick look, found an unfinished sigma rule from their repo was breaking things. Added a catch to ignore broken rules.

Please note though that this script may never be able to convert all the logic in all sigma rules correctly. In other words, a rule may convert without error but the logic could be wrong in the Wazuh rule(s). The conversion can be very complex for some Wazuh rules and I'm not sure I can or have the time to figure it out 100%.

theflakes avatar Jun 07 '23 14:06 theflakes

The script is working fine now. Thank you bro, Great job.

irfaan0999 avatar Jun 08 '23 07:06 irfaan0999