Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Rules run without required fields #1604

Open
crayy8 opened this issue Feb 27, 2025 · 3 comments
Open

[bug] Rules run without required fields #1604

crayy8 opened this issue Feb 27, 2025 · 3 comments
Labels
bug Something isn't working

Comments

@crayy8
Copy link

crayy8 commented Feb 27, 2025

Describe the bug
I'm not sure how much of these are bugs so feel free to close if you do not agree. Based off the hayabusa rule documentation there are certain fields that are required and some that are optional. From testing many of the required fields are not really required and will still run without issue.

Required fields (based off documentation) that will still flag items:

  • author
  • date
  • title
  • id
  • status
  • logsource
  • falsepositives
  • ruletype

The only fields that are marked as required that will actually generate an error are:

  • level
  • detection
@crayy8 crayy8 added the bug Something isn't working label Feb 27, 2025
@YamatoSecurity
Copy link
Collaborator

@crayy8 Thanks for all of the issues! I've been meaning to update the hayabusa-rules documentation. I am planning on replacing the way I have been writing rules with the standard Sigma way but haven't had time to get around to it. The reason why we have kept those fields optional is because they are technically optional in the sigma specification: https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md
In practice, all rules have these and should be required in my opinion but I need to do a little more thinking about whether we should require them and go against the sigma specification.. Maybe something to discuss in the Sigma discord channel.

@crayy8
Copy link
Author

crayy8 commented Feb 28, 2025

@YamatoSecurity Thank you for the information! I figured this wasn't a big deal but wanted to make sure your team was aware of my findings incase you thought anything was worth tackling. I agree that many of the fields that you mark as required should really be required. Its strange to me that so many are optional in Sigma.

2 additional comments after reviewing the sigma docs:

  1. Sigma appears to make title required which is not required in Hayabusa (even though docs state it is)
  2. Level is not required in sigma but is required in hayabusa and will result in the rule not loading and logging an error. I'm sure its not really a huge problem in practice but just something to point out since Sigma rules are supposedly able to run in hayabusa without conversion (if I understand correctly)? Again not trying to say its necessarily a bug just wanting to make you aware.

@YamatoSecurity
Copy link
Collaborator

@crayy8 Thanks for pointing this out! I will review the specs and probably make title, level, etc.. required fields.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crayy8 @YamatoSecurity