Detection rules CLI

aditi_salunke · March 31, 2021, 6:24am

Traceback (most recent call last):
  File "/usr/lib64/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/rootadmin/git/detection-rules/detection_rules/__main__.py", line 34, in <module>
    main()
  File "/home/rootadmin/git/detection-rules/detection_rules/__main__.py", line 31, in main
    root(prog_name="detection_rules")
  File "/home/rootadmin/.local/lib/python3.8/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/rootadmin/.local/lib/python3.8/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/home/rootadmin/git/detection-rules/detection_rules/main.py", line 100, in import_rules
    rule_contents.extend(load_rule_contents(rule_file))
  File "/home/rootadmin/git/detection-rules/detection_rules/utils.py", line 254, in load_rule_contents
    rule = load_dump(rule_file)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/eql/utils.py", line 140, in load_dump
    return toml.load(f)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/toml/decoder.py", line 134, in load
    return loads(f.read(), _dict, decoder)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/toml/decoder.py", line 455, in loads
    ret = decoder.load_line(line, currentlevel, multikey,
  File "/home/rootadmin/.local/lib/python3.8/site-packages/toml/decoder.py", line 725, in load_line
    value, vtype = self.load_value(pair[1], strictly_valid)
  File "/home/rootadmin/.local/lib/python3.8/site-packages/toml/decoder.py", line 802, in load_value
    return (self.load_array(v), "array")
  File "/home/rootadmin/.local/lib/python3.8/site-packages/toml/decoder.py", line 914, in load_array
    a[b] = a[b] + ',' + a[b + 1]
IndexError: list index out of range

-Following steps as per the link:https://github.com/elastic/detection-rules
-After runnung command: python3.8 -m detection_rules import-rules -d rules/windows recieving above error
-i have installed dpendancies mentioned in requirements.txt which is on github link.

Please help me out to resolve this error.

justin_ibarra · April 1, 2021, 5:05pm

Hello,

Thanks for bringing this to our attention. The issue was with a dependency which loads the toml files. An issue was already opened in the repo for this and I have a draft PR in which will resolve this. I hope to have the PR merged soon.

If you are unable to wait or are feeling adventurous, the fix is here.

Let me know if there is anything else needed and feel free to continue this conversation within the issue itself

austinsonger · April 1, 2021, 5:05pm

You can just use

python -m detection_rules

system · April 29, 2021, 5:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.