security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth
2021-10-05 17:33:48 +02:00
parent 482df0a0ad 651d453aeb
commit 0fde46b602
30 changed files with 468 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
contrib/sigmacover.py
+160
View File
@@ -0,0 +1,160 @@
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Project: sigmacover.py
Date: 26/09/2021
Author: frack113
Version: 1.1
Description:
get cover of the rules vs backend
Requirements:
python 3.7 min
$ pip install ruyaml
Todo:
- clean code and bug
- better use of subprocess.run
- have idea
"""
import re
import subprocess
import pathlib
import ruyaml
import json
import copy
import platform
import argparse
def get_sigmac(name,conf):
infos = []
if conf == None:
options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"]
else:
options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"]
if platform.system() == "Windows":
si = subprocess.STARTUPINFO()
si.dwFlags |= subprocess.STARTF_USESHOWWINDOW
ret = subprocess.run(options,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
startupinfo=si
)
my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)"
else:
ret = subprocess.run(options,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)"
if not ret.returncode == 0:
print (f"error {ret.returncode} in sigmac")
log = pathlib.Path("sigmac.log")
with log.open() as f:
lines = f.readlines()
for line in lines:
if "Convertion Sigma input" in line:
info = re.findall(my_regex,line)[0]
infos.append(info)
log.unlink()
dump = pathlib.Path("dump.txt")
if dump.exists():
dump.unlink()
return infos
def update_dict(my_dict,my_data,backend):
for file,state in my_data:
my_dict[file][backend] = state
#the backend dict command line options
backend_dict = {
"ala": None,
"ala-rule": None,
"arcsight": "../tools/config/elk-winlogbeat.yml",
"arcsight-esm": "../tools/config/elk-winlogbeat.yml",
"carbonblack": "../tools/config/elk-winlogbeat.yml",
"chronicle": "../tools/config/elk-winlogbeat.yml",
"crowdstrike": "../tools/config/elk-winlogbeat.yml",
"csharp" : None,
"devo": "../tools/config/elk-winlogbeat.yml",
"ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml",
"elastalert": "../tools/config/winlogbeat-modules-enabled.yml",
"elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml",
"es-dsl": "../tools/config/winlogbeat-modules-enabled.yml",
"es-eql": "../tools/config/winlogbeat-modules-enabled.yml",
"es-qs": "../tools/config/winlogbeat-modules-enabled.yml",
"es-qs-lr": "../tools/config/logrhythm_winevent.yml",
"es-rule": "../tools/config/winlogbeat-modules-enabled.yml",
"es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml",
"fireeye-helix": "../tools/config/elk-winlogbeat.yml",
"graylog" : None,
"grep" : None,
"humio": "../tools/config/elk-winlogbeat.yml",
"kibana": "../tools/config/winlogbeat-modules-enabled.yml",
"kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml",
"lacework" : None,
"limacharlie" : None,
"logiq" : None,
"logpoint" : None,
"mdatp" : None,
"netwitness" : None,
"netwitness-epl" : None,
"opensearch-monitor": "../tools/config/winlogbeat.yml",
"powershell" : None,
"qradar" : None,
"qualys" : None,
"sentinel-rule" : None,
"splunk": "../tools/config/splunk-windows.yml",
"splunkdm": "../tools/config/splunk-windows.yml",
"splunkxml": "../tools/config/splunk-windows.yml",
"sql": "../tools/config/elk-winlogbeat.yml",
"sqlite": "../tools/config/elk-winlogbeat.yml",
"stix": "../tools/config/stix2.0.yml",
"sumologic" : None,
"sumologic-cse" : None,
"sumologic-cse-rule" : None,
"sysmon": "../tools/config/elk-windows.yml",
"uberagent" : None,
"xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml",
}
print("""
███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███
█▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼
▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█
v1.1 bugfix
please wait during the tests
""")
argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.")
argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format")
cmdargs = argparser.parse_args()
if cmdargs.target == None:
print("No outpout use -h to see help")
exit()
#init dict of all rules
default_key_test = {key : "NO TEST" for key in backend_dict.keys()}
the_dico ={}
rules = pathlib.Path("../rules").glob("**/*.yml")
for rule in rules:
the_dico[rule.name] = copy.deepcopy(default_key_test)
#Check all the backend
for name,opt in backend_dict.items():
print (f"check backend : {name}")
result = get_sigmac(name,opt)
update_dict(the_dico,result,name)
#Save
if cmdargs.target.lower() == "yaml":
cover = pathlib.Path("sigmacover.yml")
with cover.open("w") as file:
ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper)
else:
cover = pathlib.Path("sigmacover.json")
with cover.open("w") as file:
json_dumps_str = json.dumps(the_dico, indent=4)
file.write(json_dumps_str)
rules/windows/builtin/win_apt_apt29_tor.yml → rules-unsupported/win_apt_apt29_tor.yml
Executable → Regular
View File
rules/cloud/aws/aws_attached_malicious_lambda_layer.yml
+21
View File
@@ -0,0 +1,21 @@
title: AWS Attached Malicious Lambda Layer
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
author: Austin Songer
status: experimental
date: 2021/09/23
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: lambda.amazonaws.com
eventName: UpdateFunctionConfiguration
condition: selection
level: medium
tags:
- attack.privilege_escalation
falsepositives:
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
rules/cloud/azure/azure_ad_user_added_to_admin_role.yml
+25
View File
@@ -0,0 +1,25 @@
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
description: User Added to an Administrator's Azure AD Role
author: Raphaël CALVET, @MetallicHack
date: 2021/10/04
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
logsource:
service: azure.activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
status: experimental
tags:
- attack.persistence
- attack.t1098.003
rules/linux/auditd/lnx_auditd_clipboard_collection.yml
+31
View File
@@ -0,0 +1,31 @@
title: Clipboard Collection with Xclip Tool
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
author: 'Pawel Mazur'
status: experimental
date: 2021/09/24
references:
- https://attack.mitre.org/techniques/T1115/
- https://linux.die.net/man/1/xclip
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
logsource:
product: linux
service: auditd
detection:
xclip:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-o'
condition: xclip
tags:
- attack.collection
- attack.t1115
falsepositives:
- Legitimate usage of xclip tools
level: low
rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
+32
View File
@@ -0,0 +1,32 @@
title: Clipboard Collection of Image Data with Xclip Tool
id: f200dc3f-b219-425d-a17e-c38467364816
description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
author: 'Pawel Mazur'
status: experimental
date: 2021/10/01
references:
- https://attack.mitre.org/techniques/T1115/
- https://linux.die.net/man/1/xclip
logsource:
product: linux
service: auditd
detection:
xclip:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-t'
a4|startswith: 'image/'
a5: '-o'
condition: xclip
tags:
- attack.collection
- attack.t1115
falsepositives:
- Legitimate usage of xclip tools
level: low
rules/linux/macos_suspicious_macos_firmware_activity.yml
+27
View File
@@ -0,0 +1,27 @@
title: Suspicious MacOS Firmware Activity
id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
status: experimental
description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
author: Austin Songer @austinsonger
date: 2021/09/30
references:
- https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
- https://www.manpagez.com/man/8/firmwarepasswd/
- https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/sbin/firmwarepasswd'
CommandLine|contains:
- 'setpasswd'
- 'full'
- 'delete'
- 'check'
condition: selection1
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.impact
rules/windows/builtin/win_lolbas_execution_of_nltest.yml
+30
View File
@@ -0,0 +1,30 @@
title: Correct Execution of Nltest.exe
id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
status: experimental
author: Arun Chauhan
date: 2021/10/04
description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
- https://attack.mitre.org/software/S0359/
tags:
- attack.discovery
- attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts
- attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc
- attack.t1016 # enumerate the parent domain of a local machine using /parentdomain
logsource:
product: windows
service: security
detection:
selection:
EventID: 4689
ProcessName|endswith: nltest.exe
Status: "0x0"
condition: selection
fields:
- "SubjectUserName"
- "SubjectDomainName"
falsepositives:
- Red team activity
- rare legitimate use by an administrator
level: high
rules/windows/builtin/win_susp_logon_explicit_credentials.yml
-1
View File
@@ -13,7 +13,6 @@ tags:
logsource:
product: windows
service: security
definition:
detection:
selection:
EventID: 4648
rules/windows/builtin/win_susp_lsass_dump_generic.yml
+1 -1
View File
@@ -62,7 +62,7 @@ detection:
filter2:
ProcessName|startswith:
- 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions
condition: selection_1 or selection_2 and not filter1 and not filter2
condition: ( selection_1 or selection_2 ) and not filter1 and not filter2
fields:
- ComputerName
- SubjectDomainName
rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml → rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml
View File
rules/windows/file_delete/sysmon_delete_prefetch.yml
Executable
+23
View File
@@ -0,0 +1,23 @@
title: Prefetch File Deletion
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: experimental
description: Detects the deletion of a prefetch file (AntiForensic)
level: high
author: Cedric MAURUGEON
date: 2021/09/29
tags:
- attack.defense_evasion
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|startswith: 'C:\Windows\Prefetch\'
TargetFilename|endswith: '.pf'
exception:
Image: 'C:\windows\system32\svchost.exe'
User: 'NT AUTHORITY\SYSTEM'
condition: selection and not exception
falsepositives:
- Unknown
rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml → rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml
View File
rules/windows/other/win_lateral_movement_condrv.yml
-1
View File
@@ -15,7 +15,6 @@ tags:
logsource:
product: windows
service: security
definition:
detection:
selection:
EventID: 4674
rules/windows/powershell/powershell_accessing_win_api.yml
+1 -1
View File
@@ -68,5 +68,5 @@ detection:
- 'secur32'
condition: selection
falsepositives:
- Unknown
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
level: high
rules/windows/powershell/powershell_susp_zip_compress.yml
+11 -4
View File
@@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
status: experimental
author: frack113
date: 2021/07/20
modified: 2021/09/07
modified: 2021/09/30
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
@@ -13,16 +13,23 @@ tags:
logsource:
product: windows
service: powershell
definition: Module Logging must be enabled
definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable
detection:
selection:
selection_4103:
EventID: 4103
ContextInfo|contains|all:
- 'Compress-Archive '
- ' -Path '
- ' -DestinationPath '
- '$env:TEMP\'
condition: selection
selection_4104:
EventID: 4104
ScriptBlockText|contains|all:
- 'Compress-Archive '
- ' -Path '
- ' -DestinationPath '
- '$env:TEMP\'
condition: selection_4103 or selection_4104
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
+36
View File
@@ -0,0 +1,36 @@
title: LOLBAS Data Exfiltration by DataSvcUtil.exe
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
status: experimental
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021/09/30
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
references:
- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
tags:
- attack.exfiltration
- attack.t1567
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '/in:'
- '/out:'
Image|endswith:
- '\DataSvcUtil.exe'
condition: selection
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- DataSvcUtil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Penetration Testing
level: medium
rules/windows/process_creation/process_mailboxexport_share.yml
+4 -2
View File
@@ -25,5 +25,7 @@ fields:
- CommandLine
- ParentCommandLine
tags:
- attack.collection
- attack.t1114
- attack.persistence
- attack.t1505.003
- attack.resource_development
- attack.t1584.006
rules/windows/process_creation/win_nltest_recon.yml
+1
View File
@@ -30,6 +30,7 @@ detection:
- '/dclist:'
- '/parentdomain'
- '/domain_trusts'
- '/trusted_domains'
- '/user'
condition: selection_nltest and (selection_recon1 or selection_recon2)
falsepositives:
rules/windows/process_creation/win_susp_mpcmdrun_download.yml
+1 -1
View File
@@ -9,7 +9,7 @@ references:
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
tags:
- attack.defense_evasion
- attack.t1218.010
- attack.t1218
- attack.command_and_control
- attack.t1105
logsource:
rules/windows/process_creation/win_susp_mshta_pattern.yml
+1 -1
View File
@@ -16,7 +16,7 @@ logsource:
detection:
# Binary Selector
selection_base:
Image|endswith: '\mhsta.exe'
Image|endswith: '\mshta.exe'
# Suspicious parents
selection1:
ParentImage|endswith:
rules/windows/process_creation/win_sysmon_driver_unload.yml
+3 -1
View File
@@ -4,7 +4,7 @@ status: experimental
author: Kirill Kiryanov, oscd.community
description: Detect possible Sysmon driver unload
date: 2019/10/23
modified: 2020/08/29
modified: 2021/09/27
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
logsource:
@@ -13,6 +13,8 @@ logsource:
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1562
- attack.t1562.002
detection:
selection:
Image|endswith: '\fltmc.exe'
rules/windows/process_creation/win_trust_discovery.yml
+2
View File
@@ -13,6 +13,7 @@ references:
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
tags:
- attack.discovery
- attack.t1482
@@ -25,6 +26,7 @@ detection:
CommandLine|contains:
- 'domain_trusts'
- 'all_trusts'
- '/trusted_domains'
- '/dclist'
selection_dsquery_v1:
Image|endswith: '\dsquery.exe'
tests/test_rules.py
+3
View File
@@ -613,6 +613,9 @@ class TestRules(unittest.TestCase):
if key.lower() not in valid_logsource:
print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
valid = False
elif not isinstance(logsource[key],str):
print(Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key))
valid = False
if not valid:
faulty_rules.append(file)
tools/config/ecs-ms365_defender.yml
+18
View File
@@ -0,0 +1,18 @@
title: Microsoft 365 Defender Elasticsearch ecs mapping
order: 20
backends:
- es-qs
- es-rule
fieldmappings:
classification: microsoft.m365_defender.alerts.classification
determination: microsoft.m365_defender.alerts.determination
severity: microsoft.m365_defender.alerts.severity
status: microsoft.m365_defender.alerts.status
detectionSource: microsoft.m365_defender.alerts.detectionSource
threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
entityType: microsoft.m365_defender.alerts.entities.entityType
registryHive: microsoft.m365_defender.alerts.entities.registryHive
registryKey: microsoft.m365_defender.alerts.entities.registryKey
registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
ipAddress: microsoft.m365_defender.alerts.entities.ipAddress
tools/config/generic/sysmon.yml
+3 -1
View File
@@ -143,7 +143,9 @@ logsources:
category: file_delete
product: windows
conditions:
EventID: 23
EventID:
- 23
- 26
rewrite:
product: windows
service: sysmon
tools/config/winlogbeat-modules-enabled.yml
+2 -6
View File
@@ -468,12 +468,8 @@ fieldmappings:
TargetOutboundUserName: winlog.event_data.TargetOutboundUserName
TargetServerName: winlog.event_data.TargetServerName
TargetSid: winlog.event_data.TargetSid
TargetUserName:
service=security: user.name
default: winlog.event_data.TargetUserName
TargetUserSid:
service=security: user.id
default: winlog.event_data.TargetUserSid
TargetUserName: winlog.event_data.TargetUserName
TargetUserSid: winlog.event_data.TargetUserSid
TaskContent: winlog.event_data.TaskContent
TaskName: winlog.event_data.TaskName
TicketEncryptionType: winlog.event_data.TicketEncryptionType
tools/sigma/backends/lacework.py
+1 -1
View File
@@ -554,7 +554,7 @@ class LaceworkPolicy:
self.description = safe_get(rule, 'description', str)
# 14. Get Remediation
self.remediation = ""
self.remediation = 'Remediation steps are not represented in Sigma rule specification'
def __iter__(self):
for key, attr in {
tools/sigma/backends/sysmon.py
+1 -1
View File
@@ -217,7 +217,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
raise NotSupportedError(
"Not supported logsource. Should be product `windows`.")
for item in self.logsource.values():
if item.lower() in self.allowedSource.keys():
if str(item).lower() in self.allowedSource.keys():
self.table = self.allowedSource.get(item.lower())
break
else:
tools/sigma/sigmac.py
+30 -3
View File
@@ -98,12 +98,16 @@ def set_argparser():
argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
argparser.add_argument("--filter", "-f", help="""
Define comma-separated filters that must match (AND-linked) to rule to be processed.
Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t.
Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t, target=o.
x is one of: low, medium, high, critical.
y is one of: experimental, testing, stable.
z is a word appearing in an arbitrary log source attribute.
t is a tag that must appear in the rules tag list, case-insensitive matching.
o is a target that must appear in the rules target list, case-insensitive matching.
Multiple log source specifications are AND linked.
Special filter:
inlastday=X rule create or modified in the last X days period
tlp=valid_tlp if rule have no tlp set to WHITE
""")
argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
@@ -151,6 +155,7 @@ def main():
logger = logging.getLogger(__name__)
if cmdargs.debug: # pragma: no cover
logging.basicConfig(filename='sigmac.log', filemode='w', level=logging.DEBUG)
logger.setLevel(logging.DEBUG)
if cmdargs.lists:
@@ -175,6 +180,8 @@ def main():
argparser.print_usage()
sys.exit(ERR_NO_TARGET)
logger.debug("* Target selected %s" % (cmdargs.target))
rulefilter = None
if cmdargs.filter:
try:
@@ -265,6 +272,7 @@ def main():
output_array = []
for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
logger.debug("* Processing Sigma input %s" % (sigmafile))
success = True
try:
if cmdargs.inputs == ['-']:
f = sigmafile
@@ -325,43 +333,59 @@ def main():
except OSError as e:
print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
error = ERR_OPEN_SIGMA_RULE
except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
error = ERR_INVALID_YAML
if not cmdargs.defer_abort:
sys.exit(error)
except (SigmaParseError, SigmaCollectionParseError) as e:
print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
error = ERR_SIGMA_PARSING
if not cmdargs.defer_abort:
sys.exit(error)
except NotSupportedError as e:
print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
if not cmdargs.ignore_backend_errors:
error = ERR_NOT_SUPPORTED
if not cmdargs.defer_abort:
sys.exit(error)
except BackendError as e:
print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
if not cmdargs.ignore_backend_errors:
error = ERR_BACKEND
if not cmdargs.defer_abort:
sys.exit(error)
except (NotImplementedError, TypeError) as e:
print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
if not cmdargs.ignore_backend_errors:
error = ERR_NOT_IMPLEMENTED
if not cmdargs.defer_abort:
sys.exit(error)
except PartialMatchError as e:
print("Error: Partial field match error: %s" % str(e), file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
if not cmdargs.ignore_backend_errors:
error = ERR_PARTIAL_FIELD_MATCH
if not cmdargs.defer_abort:
sys.exit(error)
except FullMatchError as e:
print("Error: Full field match error", file=sys.stderr)
logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile))
success = False
if not cmdargs.ignore_backend_errors:
error = ERR_FULL_FIELD_MATCH
if not cmdargs.defer_abort:
@@ -371,11 +395,14 @@ def main():
f.close()
except:
pass
if success :
logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile))
result = backend.finalize()
if result:
print(result, file=out)
if cmdargs.output_fields:
if cmdargs.output_format == 'json':
print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out)