tools/sigma/filter.py

# Sigma parser
# Copyright 2016-2018 Thomas Patzke, Florian Roth

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Rule Filtering
import datetime
class SigmaRuleFilter:
    """Filter for Sigma rules with conditions"""
    LEVELS = {
            "low"      : 0,
            "medium"   : 1,
            "high"     : 2,
            "critical" : 3
            }
    STATES = [
              "unsupported",
              "deprecated",
              "experimental",
              "test",
              "stable"]

    def __init__(self, expr):
        self.minlevel      = None
        self.maxlevel      = None
        self.status        = None
        self.notstatus     = None
        self.tlp           = None
        self.target        = None
        self.logsources    = list()
        self.notlogsources = list()
        self.tags          = list()
        self.nottags       = list()
        self.inlastday     = None
        self.condition     = list()
        self.notcondition  = list()

        for cond in [c.replace(" ", "") for c in expr.split(",")]:
            if cond.startswith("level<="):
                try:
                    level = cond[cond.index("=") + 1:]
                    self.maxlevel = self.LEVELS[level]
                except KeyError as e:
                    raise SigmaRuleFilterParseException("Unknown level '%s' in condition '%s'" % (level, cond)) from e
            elif cond.startswith("level>="):
                try:
                    level = cond[cond.index("=") + 1:]
                    self.minlevel = self.LEVELS[level]
                except KeyError as e:
                    raise SigmaRuleFilterParseException("Unknown level '%s' in condition '%s'" % (level, cond)) from e
            elif cond.startswith("level="):
                try:
                    level = cond[cond.index("=") + 1:]
                    self.minlevel = self.LEVELS[level]
                    self.maxlevel = self.minlevel
                except KeyError as e:
                    raise SigmaRuleFilterParseException("Unknown level '%s' in condition '%s'" % (level, cond)) from e
            elif cond.startswith("status="):
                self.status = cond[cond.index("=") + 1:]
                if self.status not in self.STATES:
                    raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond))
            elif cond.startswith("status!="):
                self.notstatus = cond[cond.index("=") + 1:]
                if self.notstatus not in self.STATES:
                    raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.notstatus, cond))
            elif cond.startswith("tlp="):
                self.tlp = cond[cond.index("=") + 1:].upper()  #tlp is always uppercase
            elif cond.startswith("target="):
                self.target = cond[cond.index("=") + 1:].lower() # lower to make caseinsensitive
            elif cond.startswith("logsource="):
                self.logsources.append(cond[cond.index("=") + 1:])
            elif cond.startswith("logsource!="):
                self.notlogsources.append(cond[cond.index("=") + 1:])
            elif cond.startswith("tag="):
                self.tags.append(cond[cond.index("=") + 1:].lower())
            elif cond.startswith("tag!="):
                self.nottags.append(cond[cond.index("=") + 1:].lower())
            elif cond.startswith("condition="):
                self.condition.append(cond[cond.index("=") + 1:].lower())
            elif cond.startswith("condition!="):
                self.notcondition.append(cond[cond.index("=") + 1:].lower())
            elif cond.startswith("inlastday="):
                nbday = cond[cond.index("=") + 1:]
                try:
                    self.inlastday = int(nbday)
                except ValueError as e:
                    raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e
            else:
                raise SigmaRuleFilterParseException("Unknown condition '%s'" % cond)

    def match(self, yamldoc):
        """Match filter conditions against rule"""
        # Levels
        if self.minlevel is not None or self.maxlevel is not None:
            try:
                level = self.LEVELS[yamldoc['level']]
            except KeyError:    # missing or invalid level
                return False    # User wants level restriction, but it's not possible here

            # Minimum level
            if self.minlevel is not None:
                if level < self.minlevel:
                    return False
            # Maximum level
            if self.maxlevel is not None:
                if level > self.maxlevel:
                    return False

        # Status
        if self.status is not None:
            try:
                status = yamldoc['status']
            except KeyError:    # missing status
                return False    # User wants status restriction, but it's not possible here
            if status != self.status:
                return False

        if self.notstatus is not None:
            try:
                status = yamldoc['status']
            except KeyError:    # missing status
                return False    # User wants status restriction, but it's not possible here
            if status == self.notstatus:
                return False


        # Tlp
        if self.tlp is not None:
            try:
                tlp = yamldoc['tlp']
            except KeyError:    # missing tlp
                tlp = "WHITE"    # tlp is WHITE by default
            if tlp != self.tlp:
                return False

        #Target
        if self.target:
            try:
                targets = [ target.lower() for target in yamldoc['target']]
            except (KeyError, AttributeError):    # no target set
                return False
            if self.target not in targets:
                return False

        # Log Sources
        if self.logsources:
            try:
                logsources = { value for key, value in yamldoc['logsource'].items() }
            except (KeyError, AttributeError):    # no log source set
                return False    # User wants status restriction, but it's not possible here

            for logsrc in self.logsources:
                if logsrc not in logsources:
                    return False

        # NOT Log Sources
        if self.notlogsources:
            try:
                notlogsources = { value for key, value in yamldoc['logsource'].items() }
            except (KeyError, AttributeError):    # no log source set
                return False    # User wants status restriction, but it's not possible here

            for logsrc in self.notlogsources:
                if logsrc  in notlogsources:
                    return False

        # Tags
        if self.tags:
            try:
                tags = [ tag.lower() for tag in yamldoc['tags']]
            except (KeyError, AttributeError):    # no tags set
                return False

            for tag in self.tags:
                if tag not in tags:
                    return False
        # NOT Tags
        if self.nottags:
            try:
                nottags = [ tag.lower() for tag in yamldoc['tags']]
            except (KeyError, AttributeError):    # no tags set
                return False

            for tag in self.nottags:
                if tag in nottags:
                    return False

        # date in the last N days
        if self.inlastday:
           try:
               date_str = yamldoc['date']
           except KeyError:    # missing date
               return False    # User wants date time restriction, but it's not possible here

           try:
               modified_str = yamldoc['modified']
           except KeyError:    # no update
               modified_str = None
           if modified_str:
               date_str = modified_str

           date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d')
           today_objet = datetime.datetime.now()
           delta       = today_objet - date_object
           if delta.days > self.inlastday:
                return False

        if self.condition:
            try:
                conditions = yamldoc['detection']['condition']
                if isinstance(conditions,list):                         # sone time conditions are list even with only 1 line
                    s_condition = ' '.join(conditions)
                else:
                    s_condition = conditions
            except KeyError:    # missing condition
                return False    # User wants condition restriction, but it's not possible here
            for val in self.condition:
                if not val in s_condition:
                    return False

        if self.notcondition:
            try:
                conditions = yamldoc['detection']['condition']
                if isinstance(conditions,list):                         # sone time conditions are list even with only 1 line
                    s_condition = ' '.join(conditions)
                else:
                    s_condition = conditions
            except KeyError:    # missing condition
                return False    # User wants condition restriction, but it's not possible here
            for val in self.notcondition:
                if val in s_condition:
                    return False

        # all tests passed
        return True

class SigmaRuleFilterParseException(Exception):
    pass
Moved YAML parsing in SigmaParser class 2017-02-13 23:29:56 +01:00			`# Sigma parser`
Split config - code removal from filter 2018-07-27 22:35:30 +02:00			`# Copyright 2016-2018 Thomas Patzke, Florian Roth`
Re-licensing toolchain under LGPLv3 2017-12-07 21:55:43 +01:00
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`

			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Lesser General Public License for more details.`

			`# You should have received a copy of the GNU Lesser General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
Moved YAML parsing in SigmaParser class 2017-02-13 23:29:56 +01:00
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`# Rule Filtering`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`import datetime`
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`class SigmaRuleFilter:`
			`"""Filter for Sigma rules with conditions"""`
			`LEVELS = {`
			`"low" : 0,`
			`"medium" : 1,`
			`"high" : 2,`
			`"critical" : 3`
			`}`
$frack113$ Add deprecated status 2021-10-28 20:08:27 +02:00			`STATES = [`
			`"unsupported",`
			`"deprecated",`
			`"experimental",`
$frack113$ fix status 2021-10-14 07:19:41 +02:00			`"test",`
			`"stable"]`
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00
			`def __init__(self, expr):`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00			`self.minlevel = None`
			`self.maxlevel = None`
$frack113$ Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00			`self.status = None`
$frack113$ cleanup code 2021-10-28 20:56:19 +02:00			`self.notstatus = None`
$frack113$ Add tlp and target Attribute 2021-08-11 14:26:20 +02:00			`self.tlp = None`
			`self.target = None`
$frack113$ Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00			`self.logsources = list()`
			`self.notlogsources = list()`
			`self.tags = list()`
			`self.nottags = list()`
			`self.inlastday = None`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00			`self.condition = list()`
			`self.notcondition = list()`
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00
			`for cond in [c.replace(" ", "") for c in expr.split(",")]:`
			`if cond.startswith("level<="):`
			`try:`
			`level = cond[cond.index("=") + 1:]`
			`self.maxlevel = self.LEVELS[level]`
			`except KeyError as e:`
			`raise SigmaRuleFilterParseException("Unknown level '%s' in condition '%s'" % (level, cond)) from e`
			`elif cond.startswith("level>="):`
			`try:`
			`level = cond[cond.index("=") + 1:]`
			`self.minlevel = self.LEVELS[level]`
			`except KeyError as e:`
			`raise SigmaRuleFilterParseException("Unknown level '%s' in condition '%s'" % (level, cond)) from e`
			`elif cond.startswith("level="):`
			`try:`
			`level = cond[cond.index("=") + 1:]`
			`self.minlevel = self.LEVELS[level]`
			`self.maxlevel = self.minlevel`
			`except KeyError as e:`
			`raise SigmaRuleFilterParseException("Unknown level '%s' in condition '%s'" % (level, cond)) from e`
			`elif cond.startswith("status="):`
			`self.status = cond[cond.index("=") + 1:]`
			`if self.status not in self.STATES:`
			`raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond))`
$frack113$ add filter not status 2021-10-28 19:46:36 +02:00			`elif cond.startswith("status!="):`
			`self.notstatus = cond[cond.index("=") + 1:]`
			`if self.notstatus not in self.STATES:`
			`raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.notstatus, cond))`
$frack113$ Add tlp and target Attribute 2021-08-11 14:26:20 +02:00			`elif cond.startswith("tlp="):`
Spelling 2021-08-18 19:00:57 +00:00			`self.tlp = cond[cond.index("=") + 1:].upper() #tlp is always uppercase`
$frack113$ Add tlp and target Attribute 2021-08-11 14:26:20 +02:00			`elif cond.startswith("target="):`
			`self.target = cond[cond.index("=") + 1:].lower() # lower to make caseinsensitive`
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`elif cond.startswith("logsource="):`
			`self.logsources.append(cond[cond.index("=") + 1:])`
$frack113$ Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00			`elif cond.startswith("logsource!="):`
			`self.notlogsources.append(cond[cond.index("=") + 1:])`
Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00			`elif cond.startswith("tag="):`
			`self.tags.append(cond[cond.index("=") + 1:].lower())`
$frack113$ Add the 'tag!=' filter 2021-05-22 08:57:42 +02:00			`elif cond.startswith("tag!="):`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00			`self.nottags.append(cond[cond.index("=") + 1:].lower())`
			`elif cond.startswith("condition="):`
			`self.condition.append(cond[cond.index("=") + 1:].lower())`
			`elif cond.startswith("condition!="):`
			`self.notcondition.append(cond[cond.index("=") + 1:].lower())`
$frack113$ change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00			`elif cond.startswith("inlastday="):`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`nbday = cond[cond.index("=") + 1:]`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00			`try:`
$frack113$ change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00			`self.inlastday = int(nbday)`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`except ValueError as e:`
			`raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e`
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`else:`
			`raise SigmaRuleFilterParseException("Unknown condition '%s'" % cond)`

			`def match(self, yamldoc):`
			`"""Match filter conditions against rule"""`
			`# Levels`
			`if self.minlevel is not None or self.maxlevel is not None:`
			`try:`
			`level = self.LEVELS[yamldoc['level']]`
			`except KeyError: # missing or invalid level`
			`return False # User wants level restriction, but it's not possible here`

			`# Minimum level`
			`if self.minlevel is not None:`
			`if level < self.minlevel:`
			`return False`
			`# Maximum level`
			`if self.maxlevel is not None:`
			`if level > self.maxlevel:`
			`return False`

			`# Status`
			`if self.status is not None:`
			`try:`
			`status = yamldoc['status']`
			`except KeyError: # missing status`
			`return False # User wants status restriction, but it's not possible here`
			`if status != self.status:`
			`return False`
$frack113$ cleanup code 2021-10-28 20:56:19 +02:00
$frack113$ add filter not status 2021-10-28 19:46:36 +02:00			`if self.notstatus is not None:`
			`try:`
			`status = yamldoc['status']`
			`except KeyError: # missing status`
			`return False # User wants status restriction, but it's not possible here`
			`if status == self.notstatus:`
			`return False`

sigmac: Added rule filter 2017-11-02 00:02:15 +01:00
$frack113$ Add tlp and target Attribute 2021-08-11 14:26:20 +02:00			`# Tlp`
			`if self.tlp is not None:`
			`try:`
			`tlp = yamldoc['tlp']`
			`except KeyError: # missing tlp`
			`tlp = "WHITE" # tlp is WHITE by default`
			`if tlp != self.tlp:`
			`return False`

			`#Target`
			`if self.target:`
			`try:`
			`targets = [ target.lower() for target in yamldoc['target']]`
			`except (KeyError, AttributeError): # no target set`
			`return False`
			`if self.target not in targets:`
			`return False`

sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`# Log Sources`
Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00			`if self.logsources:`
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`try:`
			`logsources = { value for key, value in yamldoc['logsource'].items() }`
			`except (KeyError, AttributeError): # no log source set`
			`return False # User wants status restriction, but it's not possible here`
$frack113$ forget a print debug 2021-06-10 08:49:15 +02:00
sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`for logsrc in self.logsources:`
			`if logsrc not in logsources:`
			`return False`

$frack113$ Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00			`# NOT Log Sources`
			`if self.notlogsources:`
			`try:`
			`notlogsources = { value for key, value in yamldoc['logsource'].items() }`
			`except (KeyError, AttributeError): # no log source set`
			`return False # User wants status restriction, but it's not possible here`

			`for logsrc in self.notlogsources:`
			`if logsrc in notlogsources:`
			`return False`

Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00			`# Tags`
			`if self.tags:`
			`try:`
			`tags = [ tag.lower() for tag in yamldoc['tags']]`
			`except (KeyError, AttributeError): # no tags set`
			`return False`

			`for tag in self.tags:`
			`if tag not in tags:`
			`return False`
$frack113$ Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00			`# NOT Tags`
$frack113$ Add the 'tag!=' filter 2021-05-22 08:57:42 +02:00			`if self.nottags:`
			`try:`
			`nottags = [ tag.lower() for tag in yamldoc['tags']]`
			`except (KeyError, AttributeError): # no tags set`
			`return False`

			`for tag in self.nottags:`
			`if tag in nottags:`
			`return False`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`# date in the last N days`
$frack113$ change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00			`if self.inlastday:`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`try:`
			`date_str = yamldoc['date']`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00			`except KeyError: # missing date`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`return False # User wants date time restriction, but it's not possible here`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`try:`
			`modified_str = yamldoc['modified']`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00			`except KeyError: # no update`
			`modified_str = None`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`if modified_str:`
			`date_str = modified_str`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d')`
			`today_objet = datetime.datetime.now()`
			`delta = today_objet - date_object`
$frack113$ change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00			`if delta.days > self.inlastday:`
$frack113$ add lastday filter to get only the rule update or create in the last N days 2021-05-21 19:31:06 +02:00			`return False`
$frack113$ Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
			`if self.condition:`
			`try:`
			`conditions = yamldoc['detection']['condition']`
			`if isinstance(conditions,list): # sone time conditions are list even with only 1 line`
			`s_condition = ' '.join(conditions)`
			`else:`
			`s_condition = conditions`
			`except KeyError: # missing condition`
			`return False # User wants condition restriction, but it's not possible here`
			`for val in self.condition:`
			`if not val in s_condition:`
			`return False`

			`if self.notcondition:`
			`try:`
			`conditions = yamldoc['detection']['condition']`
			`if isinstance(conditions,list): # sone time conditions are list even with only 1 line`
			`s_condition = ' '.join(conditions)`
			`else:`
			`s_condition = conditions`
			`except KeyError: # missing condition`
			`return False # User wants condition restriction, but it's not possible here`
			`for val in self.notcondition:`
			`if val in s_condition:`
			`return False`

sigmac: Added rule filter 2017-11-02 00:02:15 +01:00			`# all tests passed`
			`return True`

			`class SigmaRuleFilterParseException(Exception):`
			`pass`