diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml rename to rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_gpo_scheduledtasks.yml similarity index 100% rename from rules/windows/builtin/win_GPO_scheduledtasks.yml rename to rules/windows/builtin/win_gpo_scheduledtasks.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml rename to rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml diff --git a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml b/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml similarity index 100% rename from rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml rename to rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml diff --git a/rules/windows/file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml rename to rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml diff --git a/rules/windows/other/win_exchange_TransportAgent_failed.yml b/rules/windows/other/win_exchange_transportagent_failed.yml similarity index 100% rename from rules/windows/other/win_exchange_TransportAgent_failed.yml rename to rules/windows/other/win_exchange_transportagent_failed.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml rename to rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml rename to rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml similarity index 100% rename from rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml rename to rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml similarity index 100% rename from rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml rename to rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml diff --git a/rules/windows/process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml similarity index 100% rename from rules/windows/process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml rename to rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml diff --git a/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml similarity index 100% rename from rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml rename to rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml similarity index 100% rename from rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml rename to rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_sdelete.yml similarity index 100% rename from rules/windows/process_creation/process_creation_SDelete.yml rename to rules/windows/process_creation/process_creation_sdelete.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/process_creation/win_invoke_obfuscation_clip+.yml rename to rules/windows/process_creation/win_invoke_obfuscation_clip.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml rename to rules/windows/process_creation/win_invoke_obfuscation_stdin.yml diff --git a/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml similarity index 100% rename from rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml rename to rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml diff --git a/tests/test_rules.py b/tests/test_rules.py index ebdbfa27a..16dbb0dcd 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -47,18 +47,18 @@ class TestRules(unittest.TestCase): return data # Tests - def test_confirm_extension_is_yml(self): - files_with_incorrect_extensions = [] + # def test_confirm_extension_is_yml(self): + # files_with_incorrect_extensions = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - file_name_and_extension = os.path.splitext(file) - if len(file_name_and_extension) == 2: - extension = file_name_and_extension[1] - if extension != ".yml": - files_with_incorrect_extensions.append(file) + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # file_name_and_extension = os.path.splitext(file) + # if len(file_name_and_extension) == 2: + # extension = file_name_and_extension[1] + # if extension != ".yml": + # files_with_incorrect_extensions.append(file) - self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + - "There are rule files with extensions other than .yml") + # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + + # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): files_with_legal_issues = [] @@ -519,12 +519,26 @@ class TestRules(unittest.TestCase): def test_file_names(self): faulty_rules = [] + name_lst = [] filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) - if filename_pattern.match(filename) == None or not '_' in filename: + if filename in name_lst: + print(Fore.YELLOW + "Rule {} is a duplicate file name.".format(file)) + faulty_rules.append(file) + elif filename[-4:] != ".yml": + print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) + faulty_rules.append(file) + elif len(filename) > 74: + print(Fore.YELLOW + "Rule {} has a file name too long >70.".format(file)) + faulty_rules.append(file) + elif len(filename) < 14: + print(Fore.YELLOW + "Rule {} has a file name too sort <10.".format(file)) + faulty_rules.append(file) + elif filename_pattern.match(filename) == None or not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.")