tools/sigma/parser/rule.py

# Sigma parser
# Copyright 2016-2019 Thomas Patzke, Florian Roth

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import re
from .exceptions import SigmaParseError
from .condition import SigmaConditionTokenizer, SigmaConditionParser, ConditionAND, ConditionOR, ConditionNULLValue
from .modifiers import apply_modifiers

class SigmaParser:
    """Parse a Sigma rule (definitions, conditions and aggregations)"""
    def __init__(self, sigma, config):
        self.definitions = dict()
        self.values = dict()
        self.config = config
        self.parsedyaml = sigma
        self.parse_sigma()

    def parse_sigma(self):
        try:    # definition uniqueness check
            for definitionName, definition in self.parsedyaml["detection"].items():
                if definitionName != "condition":
                    self.definitions[definitionName] = definition
                    self.extract_values(definition)     # builds key-values-table in self.values
        except KeyError:
            raise SigmaParseError("No detection definitions found")

        try:    # tokenization
            conditions = self.parsedyaml["detection"]["condition"]
            self.condtoken = list()     # list of tokenized conditions
            if type(conditions) == str:
                self.condtoken.append(SigmaConditionTokenizer(conditions))
            elif type(conditions) == list:
                for condition in conditions:
                    self.condtoken.append(SigmaConditionTokenizer(condition))
        except KeyError:
            raise SigmaParseError("No condition found")

        self.condparsed = list()        # list of parsed conditions
        for tokens in self.condtoken:
            condparsed = SigmaConditionParser(self, tokens)
            self.condparsed.append(condparsed)

    def parse_definition_byname(self, definitionName, condOverride=None):
        try:
            definition = self.definitions[definitionName]
        except KeyError as e:
            raise SigmaParseError("Unknown definition '%s'" % definitionName) from e
        return self.parse_definition(definition, condOverride)

    def parse_definition(self, definition, condOverride=None):
        if type(definition) not in (dict, list):
            raise SigmaParseError("Expected map or list, got type %s: '%s'" % (type(definition), str(definition)))

        if type(definition) == list:    # list of values or maps
            if condOverride:    # condition given through rule detection condition, e.g. 1 of x
                cond = condOverride()
            else:               # no condition given, use default from spec
                cond = ConditionOR()

            subcond = None
            for value in definition:
                if type(value) in (str, int):
                    cond.add(value)
                elif type(value) in (dict, list):
                    cond.add(self.parse_definition(value))
                else:
                    raise SigmaParseError("Definition list may only contain plain values or maps")
        elif type(definition) == dict:      # map
            cond = ConditionAND()
            for key, value in definition.items():
                if "|" in key:  # field name contains value modifier
                    fieldname, *modifiers = key.split("|")
                    value = apply_modifiers(value, modifiers)
                else:
                    fieldname = key
                mapping = self.config.get_fieldmapping(fieldname)
                if isinstance(value, (ConditionAND, ConditionOR)):    # value is condition node (by transformation modifier)
                    value.items = [ mapping.resolve(key, item, self) for item in value.items ]
                    cond.add(value)
                else:           # plain value or something unexpected (catched by backends)
                    mapped = mapping.resolve(key, value, self)
                    cond.add(mapped)

        return cond

    def extract_values(self, definition):
        """Extract all values from map key:value pairs info self.values"""
        if type(definition) == list:     # iterate through items of list
            for item in definition:
                self.extract_values(item)
        elif type(definition) == dict:  # add dict items to map
            for key, value in definition.items():
                self.add_value(key, value)

    def add_value(self, key, value):
        """Add value to values table, create key if it doesn't exist"""
        if key in self.values:
            self.values[key].add(str(value))
        else:
            self.values[key] = { str(value) }

    def get_logsource(self):
        """Returns logsource configuration object for current rule"""
        try:
            ls_rule = self.parsedyaml['logsource']
        except KeyError:
            return None

        try:
            category = ls_rule['category']
        except KeyError:
            category = None
        try:
            product = ls_rule['product']
        except KeyError:
            product = None
        try:
            service = ls_rule['service']
        except KeyError:
            service = None

        return self.config.get_logsource(category, product, service)

    def get_logsource_condition(self):
        logsource = self.get_logsource()
        if logsource is None:
            return None
        else:
            if logsource.merged:    # Merged log source, flatten nested list of condition items
                kvconds = [ item for sublscond in logsource.conditions for item in sublscond ]
            else:                   # Simple log sources already contain flat list of conditions items
                kvconds = logsource.conditions

            # Apply field mappings
            mapped_kvconds = list()
            for field, value in kvconds:
                mapping = self.config.get_fieldmapping(field)
                mapped_kvconds.append(mapping.resolve(field, value, self))

            # AND-link condition items
            cond = ConditionAND()
            for kvcond in mapped_kvconds:
                cond.add(kvcond)

            # Add index condition if supported by backend and defined in log source
            index_field = self.config.get_indexfield()
            indices = logsource.index
            if len(indices) > 0 and index_field is not None:        # at least one index given and backend knows about indices in conditions
                if len(indices) > 1:      # More than one index, search in all by ORing them together
                    index_cond = ConditionOR()
                    for index in indices:
                        index_cond.add((index_field, index))
                    cond.add(index_cond)
                else:           # only one index, add directly to AND from above
                    cond.add((index_field, indices[0]))

            return cond
Moved YAML parsing in SigmaParser class 2017-02-13 23:29:56 +01:00			`# Sigma parser`
Value modifiers 2019-05-26 23:58:56 +02:00			`# Copyright 2016-2019 Thomas Patzke, Florian Roth`
Re-licensing toolchain under LGPLv3 2017-12-07 21:55:43 +01:00
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`

			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Lesser General Public License for more details.`

			`# You should have received a copy of the GNU Lesser General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
Moved YAML parsing in SigmaParser class 2017-02-13 23:29:56 +01:00
			`import re`
Fixes for parser split 2018-07-27 00:02:07 +02:00			`from .exceptions import SigmaParseError`
			`from .condition import SigmaConditionTokenizer, SigmaConditionParser, ConditionAND, ConditionOR, ConditionNULLValue`
Value modifiers 2019-05-26 23:58:56 +02:00			`from .modifiers import apply_modifiers`
Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Moved YAML parsing in SigmaParser class 2017-02-13 23:29:56 +01:00			`class SigmaParser:`
Multiple rules per file 2017-10-31 23:06:18 +01:00			`"""Parse a Sigma rule (definitions, conditions and aggregations)"""`
Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00			`def __init__(self, sigma, config):`
Parsing of detections 2017-02-16 00:40:08 +01:00			`self.definitions = dict()`
Changes to field mappings 2017-03-24 00:48:32 +01:00			`self.values = dict()`
Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00			`self.config = config`
Multiple rules per file 2017-10-31 23:06:18 +01:00			`self.parsedyaml = sigma`
Further backend changes 2017-09-04 00:56:04 +02:00			`self.parse_sigma()`
Intermediate backup state: Parsing of most conditions 2017-02-22 22:43:35 +01:00
			`def parse_sigma(self):`
sigmac: Condition Tokenizer 2017-02-16 23:58:44 +01:00			`try: # definition uniqueness check`
Intermediate backup state: Parsing of most conditions 2017-02-22 22:43:35 +01:00			`for definitionName, definition in self.parsedyaml["detection"].items():`
sigma/parser: Introduced new conditions 2018-03-06 23:13:42 +01:00			`if definitionName != "condition":`
			`self.definitions[definitionName] = definition`
			`self.extract_values(definition) # builds key-values-table in self.values`
Parsing of detections 2017-02-16 00:40:08 +01:00			`except KeyError:`
			`raise SigmaParseError("No detection definitions found")`

sigmac: Condition Tokenizer 2017-02-16 23:58:44 +01:00			`try: # tokenization`
			`conditions = self.parsedyaml["detection"]["condition"]`
Intermediate backup state: Parsing of most conditions 2017-02-22 22:43:35 +01:00			`self.condtoken = list() # list of tokenized conditions`
sigmac: Condition Tokenizer 2017-02-16 23:58:44 +01:00			`if type(conditions) == str:`
			`self.condtoken.append(SigmaConditionTokenizer(conditions))`
			`elif type(conditions) == list:`
			`for condition in conditions:`
			`self.condtoken.append(SigmaConditionTokenizer(condition))`
			`except KeyError:`
			`raise SigmaParseError("No condition found")`

Intermediate backup state: Parsing of most conditions 2017-02-22 22:43:35 +01:00			`self.condparsed = list() # list of parsed conditions`
			`for tokens in self.condtoken:`
Multiple rules per file 2017-10-31 23:06:18 +01:00			`condparsed = SigmaConditionParser(self, tokens)`
			`self.condparsed.append(condparsed)`
Intermediate backup state: Parsing of most conditions 2017-02-22 22:43:35 +01:00
Conversion to Elasticsearch Query Strings 2017-02-22 22:47:12 +01:00			`def parse_definition_byname(self, definitionName, condOverride=None):`
Intermediate backup state: Parsing of most conditions 2017-02-22 22:43:35 +01:00			`try:`
			`definition = self.definitions[definitionName]`
			`except KeyError as e:`
Increased test coverage 2017-10-23 23:30:44 +02:00			`raise SigmaParseError("Unknown definition '%s'" % definitionName) from e`
Conversion to Elasticsearch Query Strings 2017-02-22 22:47:12 +01:00			`return self.parse_definition(definition, condOverride)`

			`def parse_definition(self, definition, condOverride=None):`
Parsing of detections 2017-02-16 00:40:08 +01:00			`if type(definition) not in (dict, list):`
			`raise SigmaParseError("Expected map or list, got type %s: '%s'" % (type(definition), str(definition)))`

			`if type(definition) == list: # list of values or maps`
			`if condOverride: # condition given through rule detection condition, e.g. 1 of x`
Parsing of search expressions 2017-02-22 22:47:12 +01:00			`cond = condOverride()`
Parsing of detections 2017-02-16 00:40:08 +01:00			`else: # no condition given, use default from spec`
			`cond = ConditionOR()`

Conversion to Elasticsearch Query Strings 2017-02-22 22:47:12 +01:00			`subcond = None`
Parsing of detections 2017-02-16 00:40:08 +01:00			`for value in definition:`
Conversion to Elasticsearch Query Strings 2017-02-22 22:47:12 +01:00			`if type(value) in (str, int):`
Parsing of detections 2017-02-16 00:40:08 +01:00			`cond.add(value)`
Conversion to Elasticsearch Query Strings 2017-02-22 22:47:12 +01:00			`elif type(value) in (dict, list):`
			`cond.add(self.parse_definition(value))`
Parsing of detections 2017-02-16 00:40:08 +01:00			`else:`
			`raise SigmaParseError("Definition list may only contain plain values or maps")`
			`elif type(definition) == dict: # map`
sigmac: Condition Tokenizer 2017-02-16 23:58:44 +01:00			`cond = ConditionAND()`
			`for key, value in definition.items():`
Value modifiers 2019-05-26 23:58:56 +02:00			`if "\|" in key: # field name contains value modifier`
			`fieldname, *modifiers = key.split("\|")`
			`value = apply_modifiers(value, modifiers)`
			`else:`
			`fieldname = key`
			`mapping = self.config.get_fieldmapping(fieldname)`
			`if isinstance(value, (ConditionAND, ConditionOR)): # value is condition node (by transformation modifier)`
			`value.items = [ mapping.resolve(key, item, self) for item in value.items ]`
			`cond.add(value)`
			`else: # plain value or something unexpected (catched by backends)`
			`mapped = mapping.resolve(key, value, self)`
			`cond.add(mapped)`
Parsing of detections 2017-02-16 00:40:08 +01:00
			`return cond`

Changes to field mappings 2017-03-24 00:48:32 +01:00			`def extract_values(self, definition):`
			`"""Extract all values from map key:value pairs info self.values"""`
			`if type(definition) == list: # iterate through items of list`
			`for item in definition:`
			`self.extract_values(item)`
			`elif type(definition) == dict: # add dict items to map`
			`for key, value in definition.items():`
			`self.add_value(key, value)`

			`def add_value(self, key, value):`
			`"""Add value to values table, create key if it doesn't exist"""`
			`if key in self.values:`
Conditional field mappings 2017-03-25 00:21:44 +01:00			`self.values[key].add(str(value))`
Changes to field mappings 2017-03-24 00:48:32 +01:00			`else:`
Conditional field mappings 2017-03-25 00:21:44 +01:00			`self.values[key] = { str(value) }`
Changes to field mappings 2017-03-24 00:48:32 +01:00
Log source conditions are integrated in generated expressions 2017-03-14 23:22:32 +01:00			`def get_logsource(self):`
			`"""Returns logsource configuration object for current rule"""`
			`try:`
			`ls_rule = self.parsedyaml['logsource']`
			`except KeyError:`
			`return None`

			`try:`
			`category = ls_rule['category']`
			`except KeyError:`
			`category = None`
			`try:`
			`product = ls_rule['product']`
			`except KeyError:`
			`product = None`
			`try:`
			`service = ls_rule['service']`
			`except KeyError:`
			`service = None`

			`return self.config.get_logsource(category, product, service)`
Stacked configurations 2018-09-12 23:31:51 +02:00
			`def get_logsource_condition(self):`
			`logsource = self.get_logsource()`
			`if logsource is None:`
			`return None`
			`else:`
			`if logsource.merged: # Merged log source, flatten nested list of condition items`
			`kvconds = [ item for sublscond in logsource.conditions for item in sublscond ]`
			`else: # Simple log sources already contain flat list of conditions items`
			`kvconds = logsource.conditions`

Apply field mappings in generation of log source condition 2018-10-06 23:38:35 +02:00			`# Apply field mappings`
			`mapped_kvconds = list()`
			`for field, value in kvconds:`
			`mapping = self.config.get_fieldmapping(field)`
			`mapped_kvconds.append(mapping.resolve(field, value, self))`

Stacked configurations 2018-09-12 23:31:51 +02:00			`# AND-link condition items`
			`cond = ConditionAND()`
Apply field mappings in generation of log source condition 2018-10-06 23:38:35 +02:00			`for kvcond in mapped_kvconds:`
Stacked configurations 2018-09-12 23:31:51 +02:00			`cond.add(kvcond)`

			`# Add index condition if supported by backend and defined in log source`
			`index_field = self.config.get_indexfield()`
			`indices = logsource.index`
			`if len(indices) > 0 and index_field is not None: # at least one index given and backend knows about indices in conditions`
			`if len(indices) > 1: # More than one index, search in all by ORing them together`
			`index_cond = ConditionOR()`
			`for index in indices:`
			`index_cond.add((index_field, index))`
			`cond.add(index_cond)`
			`else: # only one index, add directly to AND from above`
			`cond.add((index_field, indices[0]))`

			`return cond`