Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] update-rules command always output You currently have the latest rules. #1209

Closed
fukusuket opened this issue Nov 4, 2023 · 2 comments · Fixed by #1210
Closed

[bug] update-rules command always output You currently have the latest rules. #1209

fukusuket opened this issue Nov 4, 2023 · 2 comments · Fixed by #1210
Assignees
@fukusuket
Labels
bug Something isn't working
Milestone
v2.10.1

Comments

@fukusuket
Copy link
Collaborator

Describe the bug
update-rules command always output You currently have the latest rules.

Step to Reproduce

  1. unzip hayabusa2.10.0 release zip
  2. hayabusa update-rules

Expected behavior
Updated rule name is output

% ./hayabusa update-rules
...
 - hoge
 - fuga
 
Updated Sigma rules: x
Rules updated successfully.

Actual behavior
Updated rule name is not output

% ./hayabusa update-rules
...
You currently have the latest rules.

Environment

  • OS: macOS Sonoma version 14.0
  • hayabusa version 2.10.0 (Does not occur in 2.9.0)

Additional context
The standard output message output is incorrect, but the rule update was actually successful.
@fukusuket fukusuket added the bug Something isn't working label Nov 4, 2023
@fukusuket fukusuket self-assigned this Nov 4, 2023
@fukusuket fukusuket mentioned this issue Nov 4, 2023
Merged
@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks for finding and fixing this! Is this just a bug in 2.10.0?
It seems to be working up to 2.9.0:

./hayabusa-2.9.0-mac-intel update-rules

╔╗ ╔╦═══╦╗  ╔╦═══╦══╗╔╗ ╔╦═══╦═══╗
║║ ║║╔═╗║╚╗╔╝║╔═╗║╔╗║║║ ║║╔═╗║╔═╗║
║╚═╝║║ ║╠╗╚╝╔╣║ ║║╚╝╚╣║ ║║╚══╣║ ║║
║╔═╗║╚═╝║╚╗╔╝║╚═╝║╔═╗║║ ║╠══╗║╚═╝║
║║ ║║╔═╗║ ║║ ║╔═╗║╚═╝║╚═╝║╚═╝║╔═╗║
╚╝ ╚╩╝ ╚╝ ╚╝ ╚╝ ╚╩═══╩═══╩═══╩╝ ╚╝
   by Yamato Security

Start time: 2023/11/05 08:19

 - Suspicious Non-Browser Network Communication With Google API (Modified: 2023/11/03 | Path: rules/sigma/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml)
 - Obfuscated IP Download Activity (Modified: 2023/10/29 | Path: rules/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml)
 - Uncommon PowerShell Hosts (Modified: 2023/11/03 | Path: rules/sigma/builtin/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml)
 - Obfuscated IP Download Activity (Modified: 2023/10/29 | Path: rules/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml)

Updated Sigma rules: 4
Rules updated successfully.

There is a new version of Hayabusa: v2.10.0
You can download it at https://github.com/Yamato-Security/hayabusa/releases

@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 4, 2023
edited
Loading

@YamatoSecurity
Thank you for checking issue :) Yes, this is an issue that only occurs in 2.10.0.
(This is because after implementing the Scan Wizard feature, it is necessary to internally specify that all rules are targeted when executing the update-rules command.)

@hitenkoku hitenkoku added this to the v2.10.1 milestone Dec 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.10.1
Development

Successfully merging a pull request may close this issue.

fix: set include_status * when update-rules command. Yamato-Security/hayabusa
3 participants
@hitenkoku @fukusuket @YamatoSecurity