Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: logs key required for rules that use datatypes #304

Closed
ghost opened this issue Sep 8, 2017 · 1 comment
Closed

Bug: logs key required for rules that use datatypes #304

ghost opened this issue Sep 8, 2017 · 1 comment
Assignees
Labels

Comments

@ghost
Copy link

ghost commented Sep 8, 2017

What

#285 introduced data normalization.

An intended side effect was the the logs key was not required if the datatypes key is provided.

Example:

@rule(datatypes=['command'])
def alert_suspicious_wget(rec):
    results = fetch_values_by_datatype(rec, 'command')
    for result in results:
        if fnmatch(result, "wget *"):
            return true
    return false

However, this doesn't match reality. If you don't specify logs, you get the following:

StreamAlert [ERROR]: Invalid rule [...] - rule must have 'logs' declared

Workaround

Define all relevant logs in the logs key for rules that use data normalization.

Expectations

  • if the datatypes key exists, logs is not required, it's optional
  • if the datatypes key does not exist, logs is required
@ghost
Copy link
Author

ghost commented Sep 19, 2017

This is now fixed

@ghost ghost closed this as completed Sep 19, 2017
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant