You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
yaml.parser.ParserError: while parsing a flow mapping in "<unicode string>", line 1, column 1: {'title': 'Unsigned AppX Install ... ^ expected ',' or '}', but got '<scalar>' in "<unicode string>", line 1, column 285: ... of the "Add-AppxPackage" or it\'s alias "Add-AppPackage" to inst ...
This is due to the fact that prior to parsing, the sigma_util.py script typecasts to string the 'doc' extracted from rule_yaml_data in 'parse_sigma_rule_by_text':
try:
rule_yaml_data = yaml.safe_load_all(rule_text)
for doc in rule_yaml_data:
parser = sigma_collection.SigmaCollectionParser(
str(doc), sigma_conf_obj, None
)
parsed_sigma_rules = parser.generate(sigma_backend)
rule_return.update(doc)
this turns a string like this:
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
into this:
'Detects usage of the "Add-AppxPackage" or it\'s alias "Add-AppPackage" to install unsigned AppX packages'
This breaks the YAML parser as it treats it like a control char, not a quote.
To solve this issue, we recommended to use StringIO from the io library to stringify the yaml document, rather then typecast to string:
from io import StringIO
...
for doc in rule_yaml_data:
yaml_stream = StringIO(yaml.dump(doc))
parser = sigma_collection.SigmaCollectionParser(
yaml_stream, sigma_conf_obj, None
)
To Reproduce
Steps to reproduce the behavior:
Copy the sigma rule from the page mentioned
Copy the rule into the sigma rules folder.
Run the TSCTL command to import the rules folder
See error
Expected behavior
I expect the rule to be parsed correctly and not throw a parsing error.
Desktop (please complete the following information):
OS: Windows
Timesketch version: LATEST
The text was updated successfully, but these errors were encountered:
Describe the bug
Importing a collection SIGMA rules using the TSCTL import-sigma-rules function results in YAML parser errors.
For example, importing SIGMA rule Unsigned AppX Installation Attempt Using Add-AppxPackage
results in the error below
yaml.parser.ParserError: while parsing a flow mapping in "<unicode string>", line 1, column 1: {'title': 'Unsigned AppX Install ... ^ expected ',' or '}', but got '<scalar>' in "<unicode string>", line 1, column 285: ... of the "Add-AppxPackage" or it\'s alias "Add-AppPackage" to inst ...
This is due to the fact that prior to parsing, the sigma_util.py script typecasts to string the 'doc' extracted from rule_yaml_data in 'parse_sigma_rule_by_text':
this turns a string like this:
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
into this:
'Detects usage of the "Add-AppxPackage" or it\'s alias "Add-AppPackage" to install unsigned AppX packages'
This breaks the YAML parser as it treats it like a control char, not a quote.
To solve this issue, we recommended to use StringIO from the io library to stringify the yaml document, rather then typecast to string:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect the rule to be parsed correctly and not throw a parsing error.
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: