tools/sigma/backends/logiq.py

import re
from .base import SingleTextQueryBackend
import json

class LogiqBackend(SingleTextQueryBackend):
    """Converts Sigma rule into LOGIQ event rule api payload """
    identifier = "logiq"
    config_required = False
    active = True
    reEscape = re.compile('(")')
    reClear = None
    andToken = " && "
    orToken = " || "
    notToken = " !~ "
    subExpression = "%s"
    listExpression = "%s"
    listSeparator = ", "
    valueExpression = "message =~ \'%s\'"
    keyExpression = "%s"
    nullExpression = "!~ %s"
    notNullExpression = "!%s"
    mapExpression = "(%s=%s)"
    mapListsSpecialHandling = True

    reEscape = re.compile("([\\|()\[\]{}.^$+])")

    def generate(self, sigmaparser):
        """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""

        eventRule = dict()
        eventRule["name"] = sigmaparser.parsedyaml["title"]
        eventRule["groupName"] = sigmaparser.parsedyaml["logsource"].get("product", "")
        eventRule["description"] = sigmaparser.parsedyaml["description"]
        eventRule["condition"] = sigmaparser.parsedyaml["detection"]
        eventRule["level"] = sigmaparser.parsedyaml["level"]

        for parsed in sigmaparser.condparsed:
            query = self.generateQuery(parsed)
            before = self.generateBefore(parsed)
            after = self.generateAfter(parsed)

            eventRule["condition"] = ""
            if before is not None:
                eventRule["condition"] = before
            if query is not None:
                eventRule["condition"] += query
            if after is not None:
                eventRule["condition"] += after

            return json.dumps(eventRule)

    def cleanValue(self, val):
        if val.startswith('*'):
            val = val.replace("*","/*")
      
        return val

    def generateListNode(self, node):
        if not set([type(value) for value in node]).issubset({str, int}):
            raise TypeError("List values must be strings or numbers")
        return self.generateORNode(node)
add LOGIQ backend. 2020-02-22 20:50:30 -08:00			`import re`
Rework according to review comments. 2020-02-22 20:59:56 -08:00			`from .base import SingleTextQueryBackend`
add LOGIQ backend. 2020-02-22 20:50:30 -08:00			`import json`

Rework according to review comments. 2020-02-22 20:59:56 -08:00			`class LogiqBackend(SingleTextQueryBackend):`
			`"""Converts Sigma rule into LOGIQ event rule api payload """`
add LOGIQ backend. 2020-02-22 20:50:30 -08:00			`identifier = "logiq"`
			`config_required = False`
Rework according to review comments. 2020-02-22 20:59:56 -08:00			`active = True`
			`reEscape = re.compile('(")')`
			`reClear = None`
			`andToken = " && "`
			`orToken = " \|\| "`
			`notToken = " !~ "`
			`subExpression = "%s"`
			`listExpression = "%s"`
			`listSeparator = ", "`
			`valueExpression = "message =~ \'%s\'"`
			`keyExpression = "%s"`
Fixes 2020-04-08 23:43:46 +02:00			`nullExpression = "!~ %s"`
Rework according to review comments. 2020-02-22 20:59:56 -08:00			`notNullExpression = "!%s"`
			`mapExpression = "(%s=%s)"`
			`mapListsSpecialHandling = True`
add LOGIQ backend. 2020-02-22 20:50:30 -08:00
			`reEscape = re.compile("([\\\|()\[\]{}.^$+])")`

			`def generate(self, sigmaparser):`
			`"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""`

			`eventRule = dict()`
			`eventRule["name"] = sigmaparser.parsedyaml["title"]`
Fixes 2020-04-08 23:43:46 +02:00			`eventRule["groupName"] = sigmaparser.parsedyaml["logsource"].get("product", "")`
add LOGIQ backend. 2020-02-22 20:50:30 -08:00			`eventRule["description"] = sigmaparser.parsedyaml["description"]`
			`eventRule["condition"] = sigmaparser.parsedyaml["detection"]`
			`eventRule["level"] = sigmaparser.parsedyaml["level"]`

			`for parsed in sigmaparser.condparsed:`
			`query = self.generateQuery(parsed)`
			`before = self.generateBefore(parsed)`
			`after = self.generateAfter(parsed)`

			`eventRule["condition"] = ""`
			`if before is not None:`
			`eventRule["condition"] = before`
			`if query is not None:`
			`eventRule["condition"] += query`
			`if after is not None:`
			`eventRule["condition"] += after`

Rework according to review comments. 2020-02-22 20:59:56 -08:00			`return json.dumps(eventRule)`
add LOGIQ backend. 2020-02-22 20:50:30 -08:00
			`def cleanValue(self, val):`
Fixes 2020-04-08 23:43:46 +02:00			`if val.startswith('*'):`
add LOGIQ backend. 2020-02-22 20:50:30 -08:00			`val = val.replace("","/")`
Rework according to review comments. 2020-02-22 20:59:56 -08:00
add LOGIQ backend. 2020-02-22 20:50:30 -08:00			`return val`

			`def generateListNode(self, node):`
			`if not set([type(value) for value in node]).issubset({str, int}):`
			`raise TypeError("List values must be strings or numbers")`
			`return self.generateORNode(node)`