tools/sigma/backends/carbonblack.py

import re
import requests
import json
import os
from sigma.config.eventdict import event
from fnmatch import fnmatch

from sigma.backends.base import SingleTextQueryBackend
from sigma.backends.exceptions import NotSupportedError
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression

from sigma.parser.modifiers.base import SigmaTypeModifier
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier


class CarbonBlackWildcardHandlingMixin:
    """
    Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further,
    provide configurability with backend parameters.
    """

    # options = SingleTextQueryBackend.options + (
    #         ("keyword_field", None, "Keyword sub-field name", None),
    #         ("keyword_blacklist", None, "Fields that don't have a keyword subfield (wildcards * and ? allowed)", None)
    #         )
    reContainsWildcard = re.compile("(?:(?<!\\\\)|\\\\\\\\)[*?]").search

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.matchKeyword = True
        try:
            self.blacklist = self.keyword_blacklist.split(",")
        except AttributeError:
            self.blacklist = list()

    def containsWildcard(self, value):
        """Determine if value contains wildcard."""
        if type(value) == str:
            res = self.reContainsWildcard(value)
            return res
        else:
            return False


class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryBackend):
    """Converts Sigma rule into CarbonBlack query string. Only searches, no aggregations."""

    identifier = "carbonblack"
    active = True

    # reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|\\\\u|&&|\\|\\|)")
    reEscape = re.compile("([\s\s+()\"])")
    reClear = re.compile("[<>]")
    andToken = " AND "
    orToken = " OR "
    notToken = " -"
    subExpression = "(%s)"
    listExpression = "(%s)"
    listSeparator = " OR "
    valueExpression = '%s'
    typedValueExpression = {SigmaRegularExpressionModifier: "/%s/"}
    nullExpression = "NOT _exists_:%s"
    notNullExpression = "_exists_:%s"
    mapExpression = "%s:%s"
    mapListsSpecialHandling = False
    escapeCharacters = [
        '\\',
        '"',
        '\'',
        '(',
        ')',
        '[',
        ']',
        '{',
        '}',
        ',',
        '=',
        '<',
        '>',
        '&',
        '|',
        ';',
        ':',
    ]

    def __init__(self, *args, **kwargs):
        """Initialize field mappings."""
        super().__init__(*args, **kwargs)
        self.category = None
        self.excluded_fields = None

    def cleanLeading(self, val):
        if val.startswith("*"):
            val = val[1:]
        if val.endswith("*"):
            val = val[:-1]
        return val.strip()

    def escapeCharacter(self, val):
        for ch in self.escapeCharacters:
            val = val.replace(ch, '\\' + ch)
        return val

    def unescapeCharacter(self, val):
        for ch in self.escapeCharacters:
            val = val.replace('\\' + ch, ch)
        return val

    def cleanWhitespace(self, val):
        val = val.replace('*', ' AND ').replace('  ', ' ')
        if re.match('\S+ \S', val):
            matchs = re.findall('(?:^|\(| )(.+?)(?:\)| OR| AND|$)', val)
            for strMatch in matchs:
                if re.match('\S+ \S', strMatch):
                    strUnescapeMatch = self.unescapeCharacter(strMatch)
                    val = val.replace(strMatch, '"{}"'.format(strUnescapeMatch))
        return val.strip()

    def cleanValue(self, val):
        if "[1 to *]" in val:
            self.reEscape = re.compile("([()])")
            val = super().cleanValue(val)
            val = val.strip()
        # else:
        #     self.reEscape = re.compile("([\s\s+()])")
        elif isinstance(val, str):
            val = val.strip()
            val = self.cleanLeading(val)
            val = self.escapeCharacter(val)
            val = self.cleanWhitespace(val)
        return val

    def cleanIPRange(self, value):
        new_value = value
        if type(new_value) is str and value.find('*'):
            sub = value.count('.')
            if value[-2:] == '.*':
                value = value[:-2]
            min_ip = value + '.0' * (4 - sub)
            new_value = min_ip + '/' + str(8 * (4 - sub))
        elif type(new_value) is list:
            for index, vl in enumerate(new_value):
                new_value[index] = self.cleanIPRange(vl)

        return new_value

    def generateValueNode(self, node):
        result = self.valueExpression % (str(node))
        if result == "" or result.isspace():
            return '""'
        else:
            if self.matchKeyword:  # don't quote search value on keyword field
                return result
            else:
                return "%s" % result

    def generateMapItemNode(self, node):
        fieldname, value = node
        if fieldname == "EventID" and (type(value) is str or type(value) is int):
            fieldname = self.generateEventKey(value)
            value = self.generateEventValue(value)
        if fieldname.lower() in self.excluded_fields:
            return
        else:
            transformed_fieldname = self.fieldNameMapping(fieldname, value)
            if transformed_fieldname == "ipaddr":
                value = self.cleanIPRange(value)
            if (
                self.mapListsSpecialHandling == False
                and type(value) in (str, int, list)
                or self.mapListsSpecialHandling == True
                and type(value) in (str, int)
            ):
                # return self.mapExpression % (transformed_fieldname, self.generateNode(value))
                if isinstance(value, list):
                    return self.generateNode(
                        [
                            self.mapExpression
                            % (transformed_fieldname, self.cleanValue(item))
                            for item in value
                        ]
                    )
                elif isinstance(value, str) or isinstance(value, int):
                    return self.mapExpression % (
                        transformed_fieldname,
                        self.generateNode(self.cleanValue(value)),
                    )
            elif type(value) == list:
                return self.generateMapItemListNode(transformed_fieldname, value)
            elif isinstance(value, SigmaTypeModifier) and not isinstance(
                value, SigmaRegularExpressionModifier
            ):
                return self.generateMapItemTypedNode(transformed_fieldname, value)
            elif value is None:
                return self.nullExpression % (transformed_fieldname,)
            else:
                raise TypeError(
                    "Backend does not support map values of type " + str(type(value))
                )

    def generateNOTNode(self, node):
        expression = super().generateNode(node.item)
        if expression:
            return "(%s%s)" % (self.notToken, expression)

    # Function to upload watchlists through CB API

    def postAPI(self, result, title, desc):
        url = os.getenv("cbapi_watchlist")
        body = {
            "name": title,
            "search_query": "q=" + str(result),
            "description": desc,
            "index_type": "events",
        }
        header = {"X-Auth-Token": os.getenv("APIToken")}
        print(title)
        x = requests.post(url, data=json.dumps(body), headers=header, verify=False)
        print(x.text)

    def generateEventKey(self, value):
        if value in event:
            return event[value][0]
        else:
            return 'eventid'

    def generateEventValue(self, value):
        if value in event:
            return event[value][1]
        else:
            return ''

    def generate(self, sigmaparser):
        """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
        title = sigmaparser.parsedyaml["title"]
        desc = sigmaparser.parsedyaml["description"]
        try:
            self.category = sigmaparser.parsedyaml['logsource'].setdefault(
                'category', None
            )
            self.counted = sigmaparser.parsedyaml.get('counted', None)
            self.excluded_fields = [
                item.lower()
                for item in sigmaparser.config.config.get("excludedfields", [])
            ]
        except KeyError:
            self.category = None
        for parsed in sigmaparser.condparsed:
            query = self.generateQuery(parsed)
            result = ""

            if query is not None:
                result += query
                # self.postAPI(result,title,desc)
            return result
        # if self.category == "process_creation":
        #     for parsed in sigmaparser.condparsed:
        #         query = self.generateQuery(parsed)
        #         result = ""

        #         if query is not None:
        #             result += query
        #         return result
        # else:
        #     raise NotSupportedError("Not supported logsource category.")
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`import re`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`import requests`
			`import json`
			`import os`
			`from sigma.config.eventdict import event`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`from fnmatch import fnmatch`

			`from sigma.backends.base import SingleTextQueryBackend`
			`from sigma.backends.exceptions import NotSupportedError`
			`from sigma.parser.modifiers.type import SigmaRegularExpressionModifier`
			`from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression`

			`from sigma.parser.modifiers.base import SigmaTypeModifier`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`from sigma.parser.modifiers.type import SigmaRegularExpressionModifier`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00

			`class CarbonBlackWildcardHandlingMixin:`
			`"""`
			`Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further,`
			`provide configurability with backend parameters.`
			`"""`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`# options = SingleTextQueryBackend.options + (`
			`# ("keyword_field", None, "Keyword sub-field name", None),`
			`# ("keyword_blacklist", None, "Fields that don't have a keyword subfield (wildcards * and ? allowed)", None)`
			`# )`
			`reContainsWildcard = re.compile("(?:(?<!\\\\)\|\\\\\\\\)[*?]").search`

			`def __init__(self, args, *kwargs):`
			`super().__init__(args, *kwargs)`
			`self.matchKeyword = True`
			`try:`
			`self.blacklist = self.keyword_blacklist.split(",")`
			`except AttributeError:`
			`self.blacklist = list()`

			`def containsWildcard(self, value):`
			`"""Determine if value contains wildcard."""`
			`if type(value) == str:`
			`res = self.reContainsWildcard(value)`
			`return res`
			`else:`
			`return False`


			`class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryBackend):`
			`"""Converts Sigma rule into CarbonBlack query string. Only searches, no aggregations."""`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`identifier = "carbonblack"`
			`active = True`

Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`# reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]\|(?<!\\\\)\\\\(?![*?\\\\])\|\\\\u\|&&\|\\\|\\\|)")`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`reEscape = re.compile("([\s\s+()\"])")`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`reClear = re.compile("[<>]")`
			`andToken = " AND "`
			`orToken = " OR "`
			`notToken = " -"`
			`subExpression = "(%s)"`
Add parentheses about field list groups in CB 2020-06-11 14:28:22 +02:00			`listExpression = "(%s)"`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`listSeparator = " OR "`
			`valueExpression = '%s'`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`typedValueExpression = {SigmaRegularExpressionModifier: "/%s/"}`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`nullExpression = "NOT _exists_:%s"`
			`notNullExpression = "_exists_:%s"`
			`mapExpression = "%s:%s"`
			`mapListsSpecialHandling = False`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`escapeCharacters = [`
			`'\\',`
			`'"',`
			`'\'',`
			`'(',`
			`')',`
			`'[',`
			`']',`
			`'{',`
			`'}',`
			`',',`
			`'=',`
			`'<',`
			`'>',`
			`'&',`
			`'\|',`
			`';',`
			`':',`
			`]`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
			`def __init__(self, args, *kwargs):`
			`"""Initialize field mappings."""`
			`super().__init__(args, *kwargs)`
			`self.category = None`
			`self.excluded_fields = None`

Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`def cleanLeading(self, val):`
			`if val.startswith("*"):`
			`val = val[1:]`
			`if val.endswith("*"):`
			`val = val[:-1]`
			`return val.strip()`

			`def escapeCharacter(self, val):`
			`for ch in self.escapeCharacters:`
			`val = val.replace(ch, '\\' + ch)`
			`return val`

			`def unescapeCharacter(self, val):`
			`for ch in self.escapeCharacters:`
			`val = val.replace('\\' + ch, ch)`
			`return val`

			`def cleanWhitespace(self, val):`
			`val = val.replace('*', ' AND ').replace(' ', ' ')`
			`if re.match('\S+ \S', val):`
			`matchs = re.findall('(?:^\|\(\| )(.+?)(?:\)\| OR\| AND\|$)', val)`
			`for strMatch in matchs:`
			`if re.match('\S+ \S', strMatch):`
			`strUnescapeMatch = self.unescapeCharacter(strMatch)`
			`val = val.replace(strMatch, '"{}"'.format(strUnescapeMatch))`
			`return val.strip()`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
			`def cleanValue(self, val):`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if "[1 to *]" in val:`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`self.reEscape = re.compile("([()])")`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`val = super().cleanValue(val)`
			`val = val.strip()`
			`# else:`
			`# self.reEscape = re.compile("([\s\s+()])")`
			`elif isinstance(val, str):`
			`val = val.strip()`
			`val = self.cleanLeading(val)`
			`val = self.escapeCharacter(val)`
			`val = self.cleanWhitespace(val)`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`return val`

Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`def cleanIPRange(self, value):`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`new_value = value`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if type(new_value) is str and value.find('*'):`
			`sub = value.count('.')`
			`if value[-2:] == '.*':`
			`value = value[:-2]`
			`min_ip = value + '.0' * (4 - sub)`
			`new_value = min_ip + '/' + str(8 * (4 - sub))`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`elif type(new_value) is list:`
			`for index, vl in enumerate(new_value):`
			`new_value[index] = self.cleanIPRange(vl)`

			`return new_value`

Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`def generateValueNode(self, node):`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`result = self.valueExpression % (str(node))`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`if result == "" or result.isspace():`
			`return '""'`
			`else:`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if self.matchKeyword: # don't quote search value on keyword field`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`return result`
			`else:`
			`return "%s" % result`

			`def generateMapItemNode(self, node):`
			`fieldname, value = node`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if fieldname == "EventID" and (type(value) is str or type(value) is int):`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`fieldname = self.generateEventKey(value)`
			`value = self.generateEventValue(value)`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`if fieldname.lower() in self.excluded_fields:`
			`return`
			`else:`
			`transformed_fieldname = self.fieldNameMapping(fieldname, value)`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if transformed_fieldname == "ipaddr":`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`value = self.cleanIPRange(value)`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if (`
			`self.mapListsSpecialHandling == False`
			`and type(value) in (str, int, list)`
			`or self.mapListsSpecialHandling == True`
			`and type(value) in (str, int)`
			`):`
			`# return self.mapExpression % (transformed_fieldname, self.generateNode(value))`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`if isinstance(value, list):`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`return self.generateNode(`
			`[`
			`self.mapExpression`
			`% (transformed_fieldname, self.cleanValue(item))`
			`for item in value`
			`]`
			`)`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`elif isinstance(value, str) or isinstance(value, int):`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`return self.mapExpression % (`
			`transformed_fieldname,`
			`self.generateNode(self.cleanValue(value)),`
			`)`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`elif type(value) == list:`
			`return self.generateMapItemListNode(transformed_fieldname, value)`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`elif isinstance(value, SigmaTypeModifier) and not isinstance(`
			`value, SigmaRegularExpressionModifier`
			`):`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`return self.generateMapItemTypedNode(transformed_fieldname, value)`
			`elif value is None:`
			`return self.nullExpression % (transformed_fieldname,)`
			`else:`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`raise TypeError(`
			`"Backend does not support map values of type " + str(type(value))`
			`)`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
			`def generateNOTNode(self, node):`
			`expression = super().generateNode(node.item)`
			`if expression:`
			`return "(%s%s)" % (self.notToken, expression)`

Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`# Function to upload watchlists through CB API`

			`def postAPI(self, result, title, desc):`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`url = os.getenv("cbapi_watchlist")`
			`body = {`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`"name": title,`
			`"search_query": "q=" + str(result),`
			`"description": desc,`
			`"index_type": "events",`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`}`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`header = {"X-Auth-Token": os.getenv("APIToken")}`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`print(title)`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`x = requests.post(url, data=json.dumps(body), headers=header, verify=False)`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`print(x.text)`

			`def generateEventKey(self, value):`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if value in event:`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`return event[value][0]`
			`else:`
			`return 'eventid'`

			`def generateEventValue(self, value):`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`if value in event:`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`return event[value][1]`
			`else:`
			`return ''`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
			`def generate(self, sigmaparser):`
			`"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`title = sigmaparser.parsedyaml["title"]`
			`desc = sigmaparser.parsedyaml["description"]`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`try:`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`self.category = sigmaparser.parsedyaml['logsource'].setdefault(`
			`'category', None`
			`)`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`self.counted = sigmaparser.parsedyaml.get('counted', None)`
Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00			`self.excluded_fields = [`
			`item.lower()`
			`for item in sigmaparser.config.config.get("excludedfields", [])`
			`]`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`except KeyError:`
			`self.category = None`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`for parsed in sigmaparser.condparsed:`
			`query = self.generateQuery(parsed)`
			`result = ""`

			`if query is not None:`
			`result += query`
			`# self.postAPI(result,title,desc)`
			`return result`
			`# if self.category == "process_creation":`
			`# for parsed in sigmaparser.condparsed:`
			`# query = self.generateQuery(parsed)`
			`# result = ""`

			`# if query is not None:`
			`# result += query`
			`# return result`
			`# else:`
			`# raise NotSupportedError("Not supported logsource category.")`