-
-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sigma.exceptions.SigmaValueError: Can't merge value lists '<field>' into one item due to different logical linking. #245
Comments
The The reason here is that there's a possibility to create rules programmatically that can't be expressed in a dict, e.g. because multiple detection items with the same field name are contained in them. The |
Ah, wait, changing the one instance into a list wouldn't help because the problem is that merging to lists of a field-bound detection item would result into a different boolean logic. |
Indeed, I tried that and same error. |
I don't really understand this part. YAML and JSON can serialize the same information and they can be converted into one another easily. Also, JSON can be parsed as a From my basic and incomplete understanding, there is no conflict here, because it's just a list of different items, and in a |
It is 😉 that's the reason it is marked as bug now. Somehow the YAML is parsec into a data structure that can't be converted back or some check is too strict. |
As a temporary workaround, I found that simply putting the condition in a separate block doesn't raise the error yet is the same logic: raises error: detection:
exclusions:
- D:
- '5'
- '6'
C:
- '3'
- '4'
- D: '2'
E:
- '1'
condition: not exclusions doesn't raise error: detection:
exclusion1:
- D:
- '5'
- '6'
C:
- '3'
- '4'
exclusion2:
- D: '2'
E:
- '1'
condition: not exclusion1 and not exclusion2 |
Hello, I tried to convert a Sigma rule but got this weird error when calling
.to_dict()
on it. I feel like it should work?Here is the error:
Any idea?
The text was updated successfully, but these errors were encountered: