Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update-rules does not update rule files if only status field is updated #1243

Closed
fukusuket opened this issue Jan 3, 2024 · 2 comments · Fixed by #1245
Closed

update-rules does not update rule files if only status field is updated #1243

fukusuket opened this issue Jan 3, 2024 · 2 comments · Fixed by #1245
Assignees
@hitenkoku
Labels
enhancement New feature or request
Milestone
v2.13.0

Comments

@fukusuket
Copy link
Collaborator

fukusuket commented Jan 3, 2024
edited
Loading

Describe the issue
This is not a bug, but update-rules does not update rule files when status is updated.

According to the Sigma spec below, the modified field is not updated when the status changes(except deprecated).
https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#modified-optional

The current update-rules command is designed to only update files where the modified field has been updated, so changes like the commit below will not be reflected in the rules.
https://github.com/SigmaHQ/sigma/pull/4651/files

As a result, the rules classified by the scan-wizard below do not match the latest classifications in the Sigma repository
https://github.com/Yamato-Security/hayabusa?tab=readme-ov-file#scan-wizard

Step to Reproduce
(As of 2024/1/3)

  1. download hayabusa 2.12.0
  2. hayabusa update-rules

Actual behavior
(As of 2024/1/3)
Updated Sigma rules: 2

Expected behavior
The status field will be updated as in the commit below.
https://github.com/SigmaHQ/sigma/pull/4651/files

Personally, I think the above specifications are better, but what do you think?🤔

Environment

  • OS: macOS Sonoma version 14.0
  • hayabusa version: 2.12.0
@fukusuket fukusuket added the enhancement New feature or request label Jan 3, 2024
@fukusuket fukusuket changed the title update-rules does not update rule files when status is updated update-rules does not update rules file if only status field is updated Jan 3, 2024
@hitenkoku hitenkoku self-assigned this Jan 4, 2024
@YamatoSecurity
Copy link
Collaborator

Thanks for pointing this out. Maybe we should update the files if there are any differences in the text (like the diff command) instead of checking fields? @hitenkoku What do you think?

@fukusuket fukusuket changed the title update-rules does not update rules file if only status field is updated update-rules does not update rule files if only status field is updated Jan 4, 2024
@hitenkoku
Copy link
Collaborator

I have checked and it is done in the same way as when you do a git pull in the rules folder.
Currently, the display of the number of units changed, etc. is certainly not seeing the status changes, so I will fix it.

hitenkoku added a commit that referenced this issue Jan 10, 2024
@hitenkoku
fix(update): fixed update-rules output rule #1243
f156340
@hitenkoku hitenkoku linked a pull request Jan 10, 2024 that will close this issue
fixed update-rules output updated rule #1245
Merged
hitenkoku added a commit that referenced this issue Jan 10, 2024
@hitenkoku
fix(update): fixed updated rule output logic #1243
3036834
hitenkoku added a commit that referenced this issue Jan 10, 2024
@hitenkoku
fix(update): fixed updated rule check to new rule #1243
885601a
@hitenkoku hitenkoku added this to the v2.13.0 milestone Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.13.0
Development

Successfully merging a pull request may close this issue.

fixed update-rules output updated rule Yamato-Security/hayabusa
3 participants
@hitenkoku @fukusuket @YamatoSecurity