security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixes

Browse Source 
* Removed Splunk regex query
* Added test for sumologic-cse backend
This commit is contained in:
Thomas Patzke
2020-10-23 15:31:00 +02:00
parent 9dc806448c
commit 2fb7dd5e99
2 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+1
View File
@@ -59,6 +59,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness-epl -c netwitness-epl rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic-cse -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
tools/sigma/backends/splunk.py
+3 -11
View File
@@ -18,8 +18,6 @@ import re
import sigma
from .base import SingleTextQueryBackend
from .mixins import MultiRuleOutputMixin
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
class SplunkBackend(SingleTextQueryBackend):
"""Converts Sigma rule into Splunk Search Processing Language (SPL)."""
@@ -70,7 +68,7 @@ class SplunkBackend(SingleTextQueryBackend):
agg.aggfunc_notrans = 'dc'
return " | eventstats %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition)
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
columns = list()
@@ -108,7 +106,7 @@ class SplunkBackend(SingleTextQueryBackend):
result += fields
return result
class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
"""Converts Sigma rule into XML used for Splunk Dashboard Panels"""
identifier = "splunkxml"
@@ -177,9 +175,6 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
class CrowdStrikeBackend(SplunkBackend):
"""Converts Sigma rule into CrowdStrike Search Processing Language (SPL)."""
identifier = "crowdstrike"
typedValueExpression = {
SigmaRegularExpressionModifier: 'regex field=%s "%s"'
}
def generate(self, sigmaparser):
lgs = sigmaparser.parsedyaml.get("logsource")
@@ -215,7 +210,4 @@ class CrowdStrikeBackend(SplunkBackend):
raise NotImplementedError("Not supported logsources!")
def generateMapItemTypedNode(self, fieldname, value):
if isinstance(value, SigmaRegularExpressionModifier):
return self.typedValueExpression.get(type(value)) % (fieldname, value)
else:
return super().generateMapItemTypedNode(fieldname=fieldname, value=value)
return super().generateMapItemTypedNode(fieldname=fieldname, value=value)