Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigma.exceptions.SigmaValueError: Can't merge value lists '<field>' into one item due to different logical linking. #245

Open
Res260 opened this issue Jul 23, 2024 · 6 comments
Open

sigma.exceptions.SigmaValueError: Can't merge value lists '<field>' into one item due to different logical linking. #245

Res260 opened this issue Jul 23, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@Res260
Copy link
Contributor

Res260 commented Jul 23, 2024

Hello, I tried to convert a Sigma rule but got this weird error when calling .to_dict() on it. I feel like it should work?

from sigma.rule import SigmaRule

sigma_rule = r"""
title: AAAAAAAAAA
id: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
status: experimental
level: high
logsource:
  product: AAAA
detection:
  exclusions:
    - D:
        - '5'
        - '6'
      C:
        - '3'
        - '4'

    - D: '2'
      E:
        - '1'
      
  condition: not exclusions
"""


import yaml
rule = SigmaRule.from_dict(yaml.safe_load(sigma_rule))
rule.to_dict()

Here is the error:

Traceback (most recent call last):
  File "REDACTED\scratch_8.py", line 29, in <module>
    rule.to_dict()
  File "REDACTED\pySigma\sigma\rule.py", line 1186, in to_dict
    "detection": self.detection.to_dict(),
                 ^^^^^^^^^^^^^^^^^^^^^^^^
  File "REDACTED\pySigma\sigma\rule.py", line 707, in to_dict
    identifier: detection.to_plain() for identifier, detection in self.detections.items()
                ^^^^^^^^^^^^^^^^^^^^
  File "REDACTED\pySigma\sigma\rule.py", line 602, in to_plain
    raise sigma_exceptions.SigmaValueError(
sigma.exceptions.SigmaValueError: Can't merge value lists 'D' into one item due to different logical linking.

Any idea?
@thomaspatzke thomaspatzke added the bug Something isn't working label Jul 23, 2024
@thomaspatzke
Copy link
Member

The to_dict() method tries to merge multiple dict items into one and this is only possible if detection items with the same field have lists as well as plain values as its the case for the field D in your example. Internally lists cause that the logical linking attached to the field is changed to OR. Changing the second occurrence of field D into a single-item list should do the trick here.

The reason here is that there's a possibility to create rules programmatically that can't be expressed in a dict, e.g. because multiple detection items with the same field name are contained in them. The to_dict() code tries to handle such situations and the merging described above is one of the things it does. Normally, a rule originating from YAML code or from_dict() should be convertible with to_dict(). Therefore, I consider this as bug which needs some further investigation.

@thomaspatzke
Copy link
Member

Ah, wait, changing the one instance into a list wouldn't help because the problem is that merging to lists of a field-bound detection item would result into a different boolean logic.

@Res260
Copy link
Contributor Author

Res260 commented Jul 24, 2024

Ah, wait, changing the one instance into a list wouldn't help because the problem is that merging to lists of a field-bound detection item would result into a different boolean logic.

Indeed, I tried that and same error.

@Res260
Copy link
Contributor Author

Res260 commented Jul 24, 2024
edited
Loading

The reason here is that there's a possibility to create rules programmatically that can't be expressed in a dict, e.g. because multiple detection items with the same field name are contained in them.

I don't really understand this part. YAML and JSON can serialize the same information and they can be converted into one another easily. Also, JSON can be parsed as a dict very easily. If the YAML is valid, why can't it be converted to a dict when the first step of parsing a SigmaRule is to parse it as a dict? This seems contradictory.

From my basic and incomplete understanding, there is no conflict here, because it's just a list of different items, and in a dict (and in JSON and in YAML) you can have lists with identical elements (but you can't have identical keys in an object). What I'm trying to do here is have a list with objects with the same keys but different values in said keys.

@thomaspatzke
Copy link
Member

This seems contradictory.

It is 😉 that's the reason it is marked as bug now. Somehow the YAML is parsec into a data structure that can't be converted back or some check is too strict.

@Res260
Copy link
Contributor Author

Res260 commented Aug 1, 2024

As a temporary workaround, I found that simply putting the condition in a separate block doesn't raise the error yet is the same logic:

raises error:

detection:
  exclusions:
    - D:
        - '5'
        - '6'
      C:
        - '3'
        - '4'

    - D: '2'
      E:
        - '1'
  condition: not exclusions

doesn't raise error:

detection:
  exclusion1:
    - D:
        - '5'
        - '6'
      C:
        - '3'
        - '4'
  exclusion2:
    - D: '2'
      E:
        - '1'
      
  condition: not exclusion1 and not exclusion2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomaspatzke @Res260