SIEMForge bug silently disables log size cap when file cannot be measured
A developer maintaining SIEMForge, an open-source SIEM detection tool, discovered that its 100MB log-file size guard quietly deactivates itself whenever a file's size cannot be read via stat(). The flaw means the safety check — designed to prevent memory exhaustion from large or attacker-supplied files — fails silently in precisely the adversarial conditions it was built to handle, such as permission errors or unusual mounts. Further investigation revealed broader inconsistency in how the scanner handles errors: unknown file extensions silently fall back to JSON parsing, returning a false "clean" result instead of raising an alert. Similarly, CSV parsing failures cause field names to be replaced with generic positional labels like col_0, causing Sigma rules keyed on specific field names to match nothing and report no threats. The developer added characterization tests to document the existing behavior and flagged the pattern as a systemic design concern for a tool intended for security use.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in