Print warning when loading Sigma rules with keyless search identifiers
ru37z opened this issue · comments
As already discussed in #120, Chainsaw does not support "lists" (i.e., keyless search identifiers) in the detection part of Sigma rules, as defined by the Sigma specification [1]. When running Chainsaw in hunt mode, such lists in Sigma rules are silently ignored and events matching these lists will not trigger the respective rule.
IMHO, this behavior is unfavorable since users probably assume that if there is no warning/error while loading Sigma rules, these rules will work as intended. This could lead, e.g., to missed evidence in forensic analysis. I therefore propose to print a warning while loading Sigma rules if they contain lists, which assures that users are aware that these (parts of) rules will be ignored by Chainsaw.
[1] https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#lists
Yep this is a bug, it should be failing to load rules that it does not support and keyless ones fall into that category.
Sorry, my description above isn't quite correct. Sigma rules containing lists are indeed not loaded, just as intended, and this is also correctly printed ("... not loaded)". However, I find this easy to overlook, so I'd propose to either print one warning line per non-loaded rule, including the reason why it was not loaded or (at least) print a warning that not all rules could be loaded. The former could look like this:
[!] Ignoring rule foo.yml. Reason: Keyless search identifiers are currently not supported.
Yes, I think this is already much less prone to being overlooked!
Awesome, will get that done.