socprime / sigmaui Goto Github PK

Hi,

I have a problem installing sigmaui with kibana 7.6.1.

bash-4.2$ /usr/share/kibana/bin/kibana-plugin install https://github.com/socprime/SigmaUI/raw/master/sigma_ui_1.2.5.zip
Attempting to transfer from https://github.com/socprime/SigmaUI/raw/master/sigma_ui_1.2.5.zip
Transferring 13993246 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation was unsuccessful due to error "Plugin socprime_sigma_ui [kibana] is incompatible with Kibana [7.6.1]"

Regards

Hello, I'm trying to follow the steps documented at https://github.com/socprime/SigmaUI/blob/master/Sigma%20UI%20for%20Kibana%20Installation%20Guide.pdf to use sigmaui with my kibana.

I'm using Kibana version 7.9.1 and installed the sigmaui plugin without any problems.

When clicking on the sigmaui icon in the kibana panel, nothing is loaded, and this error is displayed.

I'm composing the kibana Dockerfile with the following:

FROM docker.elastic.co/kibana/kibana:7.9.1

COPY sigma_ui_1.2.5-elk7.9.1.zip /tmp/sigma_ui_1.2.5-elk7.9.1.zip

RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/sigma_ui_1.2.5-elk7.9.1.zip

COPY common.json /usr/share/kibana/plugins/socprime_sigma_ui/config/common.json

USER root

RUN yum update -y && \
	yum install -y python3-pip.noarch && \
	pip3 install --no-input pip requests==2.22.0 PyYAML>=3.11 elasticsearch sigmatools

USER kibana

This is the error msg:

Version: 7.9.1
Build: 33912
Error: "exports" is read-only
@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:2032456
@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:2032481
__webpack_require__@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:1038
@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:131:156749
__webpack_require__@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:1038
@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:131:206868
__webpack_require__@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:1038
requireLegacyFiles@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:65:252671
start@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:576473
_callee2$@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:612606
l@https://10.2.196.120:5601/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155323
s/o._invoke</<@https://10.2.196.120:5601/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155077
_/</e[t]@https://10.2.196.120:5601/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155680
core_system_asyncGeneratorStep@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:603179
_next@https://10.2.196.120:5601/33912/bundles/socprime_sigma_ui.bundle.js:2:603531

common.json:

{
  "debug": true,
  "max_upload_period_in_month": 2,
  "python_path": "/usr/bin/python3.6",
  "tdm_api_integration_tool_path": "/sigmaui/script_tdm_api/tdm_api_for_sigma_ui.py",
  "tpm_sigma_folder_path": "/sigmaui/script_tdm_api/sigmas"
}

Not able to install the module due to error "Error retrieving metadata from plugin archive".

[content@localhost kibana-7.6.1]$ ./bin/kibana-plugin install file:///home/content/kibana-7.6.1/sigma_ui_1.2.5.zip 
Attempting to transfer from file:///home/content/kibana-7.6.1/sigma_ui_1.2.5.zip
Transferring 63620 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Error: end of central directory record signature not found
    at /home/content/kibana-7.6.1/node_modules/yauzl/index.js:187:14
    at /home/content/kibana-7.6.1/node_modules/yauzl/index.js:631:5
    at /home/content/kibana-7.6.1/node_modules/fd-slicer/index.js:32:7
    at FSReqWrap.wrapper [as oncomplete] (fs.js:467:17)
Plugin installation was unsuccessful due to error "Error retrieving metadata from plugin archive"

When exporting a valid sigma rule to any of the options available I am presented with a message that says "Something went wrong" None of the other options work. I am using Elastic Stack 6.4.2.

How is this index imported? I have looked at the docs. Had trouble with the python scripts

File "import_es_index.py", line 39, in
import_index(SIGMA_DOC_INDEX_NAME+'_index.json', SIGMA_DOC_INDEX_NAME)
File "import_es_index.py", line 26, in import_index
print es_dbc.delete_index(index_name)
File "/home/kwright/socprime_sigma_ui_unzip_me-Zgifp/ELK_import_export/es_db_connector.py", line 57, in delete_index
return self.es.indices.delete(index=index, ignore=[400, 404])
File "/usr/lib/python2.7/site-packages/elasticsearch/client/utils.py", line 76, in _wrapped
return func(*args, params=params, **kwargs)
File "/usr/lib/python2.7/site-packages/elasticsearch/client/indices.py", line 185, in delete
params=params)
File "/usr/lib/python2.7/site-packages/elasticsearch/transport.py", line 318, in perform_request
status, headers_response, data = connection.perform_request(method, url, params, body, headers=headers, ignore=ignore, timeout=timeout)
File "/usr/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py", line 181, in perform_request
raise ConnectionError('N/A', str(e), e)
elasticsearch.exceptions.ConnectionError: ConnectionError([('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]) caused by: Error([('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')])

Hey guys, I'm running 6.5.4, and I modified the version in the zip archive to reflect this, it installs fine but kibana hangs after restarting. Is there a minimal version? Any news on v7.x support yet?
Cheers,
Luk

I have Kibana 7.15.2 up and running and I've already modified the package.json file in the zip to reflect this version (kibana.version is set to 7.15.2) yet when I issue the command /home/ubuntu# /usr/share/kibana/bin/./kibana-plugin install file:///home/ubuntu/sigma_ui_1.2.5.zip I get the following error:

"Plugin installation was unsuccessful due to error "No kibana plugins found in archive"

Has anyone been able to get this plugin able to work with SO2?

I am trying to install sigma rule on kibana I followed the instructions but it failed
The document of sigma rule has instructions for me to execute the command:
/usr/share/kibana/bin/./kibana-plugin install file:///PATH_TO_FILE/sigma-ui-xxxxx.zip
The command i run:
/usr/share/kibana/bin/kibana-plugin install file:///usr/share/kibana/bin/sigma_ui_1.2.5.zip
and this is what i'm having
Found previous install attempt. Deleting...
Attempting to transfer from file:///usr/share/kibana/bin/sigma_ui_1.2.5.zip
Transferring 13993246 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Plugin installation was unsuccessful due to error "No kibana plugins found in archive"

「error」 :

Attempting to transfer from file:/opt/kibana-5.3.3-linux-x86_64/plugins/SigmaUI/sigma_ui_0.9.2.zip
Transferring 17203391 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation was unsuccessful due to error "Incorrect Kibana version in plugin [socprime_sigma_ui]. Expected [5.3.3]; found [6.6.1]"

「deal」:

Wait until the installation finishes, it may take few minutes to optimize and cache browser bundles. Restart Kibana to apply the changes

If you get error: “Plugin installation was unsuccessful due to error "Incorrect Kibana version in plugin [sigmaui]. Expected [6.6.0]; found [6.6.1]“, please open zip archive and modify file “. /kibana/socprime_sigma_ui/package.json”: put version of your Kibana to field "kibana.version" ​
2. Restart Kibana to apply the changes.

In case after restart Kibana you don’t see any changes, go to /usr/share/kibana/optimize. Delete all files in the folder ‘optimize’ including subfolders. And restart Kibana.This will make Kibana to refresh it’s cache.

「Question」 :
After processing according to the official website, it still reports this error

Hi guys,
After the plugin installation also removing file from the optimeze folder, After the restart of the kibana service i'm not anke to see the plugin in console, have you got any advice?
PS kibana version 7.6.1
Thanks

I've successfully installed the plugin, deleted the contents of the "optimized" folder and restarted Kibana several times via systemctl but still cannot see the Sigma UI at all.

It would be nice if the instructions were a little more clear and specific.

Export button is not working, the rollout menu appears outside of screen on clicking. Kibana 6.5.4

I have changed every time package.json file , and get the same error. To which version of kibana SigmaUI is compatible?

I have tried with 7.6, 7.9 and 7.9 ELK version with no success.
the template version in package.json in 8.0.0, and I changed it to the respective versions with every new installation, yet no success.

Hi,
Can I install SigmaUI plugin with kibana 7.8.1?

Thanks,

Got this error after running import_es_index.py:

/home/ubuntu# python2 ./ELK_import_export/import_es_index.py
{u'acknowledged': True}
1 / 281 UZ3knmUBtApo-eN_puWZ
Traceback (most recent call last):
  File "./ELK_import_export/import_es_index.py", line 39, in <module>
    import_index(SIGMA_DOC_INDEX_NAME+'_index.json', SIGMA_DOC_INDEX_NAME)
  File "./ELK_import_export/import_es_index.py", line 31, in import_index
    es_dbc.insert_doc(index_name, doc_id, doc)
  File "/home/ubuntu/ELK_import_export/es_db_connector.py", line 54, in insert_doc
    res = self.es.index(index=index, doc_type=index, id=doc_id, body=doc)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 301, in _wrapped
    return func(*args, params=params, headers=headers, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/__init__.py", line 410, in index
    body=body,
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 458, in perform_request
    raise e
elasticsearch.exceptions.RequestError: RequestError(400, u'illegal_argument_exception', u'Rejecting mapping update to [sui_sigma_doc] as the final mapping would have more than 1 type: [_doc, sui_sigma_doc]')

After clicking on the select button there is a sigma doc that shows up however upon searching a keyword no results are returned.

Bonjour,

Je cherche un programme qui pourra faire en même temps IPS/IDS/NIPS/NIDS.
Est-ce que security onion est un programme qui pourra répondre à ma recherche ?

Cordialement,

Hello
we are having issues installing SigmaUI with SOF-ELK. The goal is to run SIGMA rules on historical logs uploaded in SOF-ELK.
Any clue / any experience?

when using kibana 7.0.1., plugin load fails with:

Version: 7.0.1
Build: 23198
Error: [$injector:modulerr] Failed to instantiate module kibana due to:
[$injector:modulerr] Failed to instantiate module app/socprime_sigma_ui due to:
[$injector:modulerr] Failed to instantiate module ui.select due to:
[$injector:nomod] Module 'ui.select' is not available! You either misspelled the module name or forgot to load it. If registering a module ensure that you specify the dependencies as the second argument.

error when opening the tab in kibana,

Hello,
Context: kibana 7.6.1 with opendistro plugin for security.

When i try run the import_es_index.py i get this error :
python2 import_es_index.py

{u'acknowledged': True}
1 / 281 UZ3knmUBtApo-eN_puWZ
Traceback (most recent call last):
  File "import_es_index.py", line 39, in <module>
    import_index(SIGMA_DOC_INDEX_NAME+'_index.json', SIGMA_DOC_INDEX_NAME)
  File "import_es_index.py", line 31, in import_index
    es_dbc.insert_doc(index_name, doc_id, doc)
  File "/home/user/SigmaUI/ELK_import_export/es_db_connector.py", line 54, in insert_doc
    res = self.es.index(index=index, doc_type=index, id=doc_id, body=doc)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 92, in _wrapped
    return func(*args, params=params, headers=headers, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/__init__.py", line 411, in index
    body=body,
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 362, in perform_request
    timeout=timeout,
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 252, in perform_request
    self._raise_error(response.status, raw_data)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/base.py", line 282, in _raise_error
    status_code, error_message, additional_info
elasticsearch.exceptions.RequestError: RequestError(400, u'illegal_argument_exception', u'Rejecting mapping update to [sui_sigma_doc] as the final mapping would have more than 1 type: [_doc, sui_sigma_doc]')

My es_config.py :

ES_host = ['localhost']
ES_http_auth = ('user', 'pass')
ES_port = 9200
ES_scheme = "https" # "http" or "https"

### if X-Pack is NOT installed
### use these configs
ES_use_ssl=True
ES_verify_certs=True
ES_ca_certs='/etc/elasticsearch/root-ca.pem'

### if X-Pack IS installed
## use these configs
#ES_use_ssl=True
### make sure we verify SSL certificates
#ES_verify_certs=False
### provide a path to CA certs on disk
#ES_ca_certs='/path/to/certs/cas.crt'

SIGMA_DOC_INDEX_NAME = "sui_sigma_doc"