Merge pull request #2086 from frack113/sigmacover

contrib Sigmacover

contrib/sigmacover.py

@@ -6,14 +6,13 @@
 Project: sigmacover.py
 Date: 26/09/2021
 Author: frack113
-Version: 1.0
+Version: 1.1
 Description: 
     get cover of the rules vs backend
-    It is more a POC than a script for the moment
 Requirements:
+    python 3.7 min
     $ pip install ruyaml
 Todo:
-    - add output options
     - clean code and bug
     - better use of subprocess.run
     - have idea
@@ -24,19 +23,45 @@ import re
 import subprocess
 import pathlib
 import ruyaml
+import json
+import copy
+import platform
+import argparse
 
-
-def get_sigmac(options):
+def get_sigmac(name,conf):
     infos = []
-    ret = subprocess.run(options,)
+    if conf == None:
+        options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"]
+    else:
+        options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"]
+    if platform.system() == "Windows":
+        si = subprocess.STARTUPINFO()
+        si.dwFlags |= subprocess.STARTF_USESHOWWINDOW
+        ret = subprocess.run(options,
+                             stdout=subprocess.PIPE,
+                             stderr=subprocess.STDOUT,
+                             startupinfo=si
+                             )
+        my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)"
+    else:
+        ret = subprocess.run(options,
+                             stdout=subprocess.PIPE,
+                             stderr=subprocess.STDOUT,
+                             )
+        my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)"   
+    if not ret.returncode == 0:
+        print (f"error {ret.returncode} in sigmac")
     log = pathlib.Path("sigmac.log")
     with log.open() as f:
         lines = f.readlines()
         for line in lines:
             if "Convertion Sigma input" in line:
-                info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0]
+                info = re.findall(my_regex,line)[0]
                 infos.append(info)
     log.unlink()
+    dump = pathlib.Path("dump.txt")
+    if dump.exists():
+        dump.unlink()
     return infos            
 
 def update_dict(my_dict,my_data,backend):
@@ -45,79 +70,91 @@ def update_dict(my_dict,my_data,backend):
 
 #the backend dict command line options
 backend_dict = {
-    "ala" : ["python","../tools/sigmac","-t","ala","--debug","-rI","../rules"],
-    "ala-rule" : ["python","../tools/sigmac","-t","ala-rule","--debug","-rI","../rules"],
-    "arcsight": ["python","../tools/sigmac","-t","arcsight","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "arcsight-esm": ["python","../tools/sigmac","-t","arcsight-esm","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "carbonblack": ["python","../tools/sigmac","-t","carbonblack","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "chronicle": ["python","../tools/sigmac","-t","chronicle","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "crowdstrike": ["python","../tools/sigmac","-t","crowdstrike","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "csharp" : ["python","../tools/sigmac","-t","csharp","--debug","-rI","../rules"],
-    "devo": ["python","../tools/sigmac","-t","devo","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "ee-outliers": ["python","../tools/sigmac","-t","ee-outliers","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "elastalert": ["python","../tools/sigmac","-t","elastalert","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "elastalert-dsl": ["python","../tools/sigmac","-t","elastalert-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "es-dsl": ["python","../tools/sigmac","-t","es-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "es-eql": ["python","../tools/sigmac","-t","es-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "es-qs": ["python","../tools/sigmac","-t","es-qs","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "es-qs-lr": ["python","../tools/sigmac","-t","es-qs-lr","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "es-rule": ["python","../tools/sigmac","-t","es-rule","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "es-rule-eql": ["python","../tools/sigmac","-t","es-rule-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "fireeye-helix": ["python","../tools/sigmac","-t","fireeye-helix","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "graylog" : ["python","../tools/sigmac","-t","graylog","--debug","-rI","../rules"],
-    "grep" : ["python","../tools/sigmac","-t","grep","--debug","-rI","../rules"],
-    "humio": ["python","../tools/sigmac","-t","humio","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "kibana": ["python","../tools/sigmac","-t","kibana","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "kibana-ndjson": ["python","../tools/sigmac","-t","kibana-ndjson","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "lacework" : ["python","../tools/sigmac","-t","lacework","--debug","-rI","../rules"],
-    "limacharlie" : ["python","../tools/sigmac","-t","limacharlie","--debug","-rI","../rules"],
-    "logiq" : ["python","../tools/sigmac","-t","logiq","--debug","-rI","../rules"],
-    "logpoint" : ["python","../tools/sigmac","-t","logpoint","--debug","-rI","../rules"],
-    "mdatp" : ["python","../tools/sigmac","-t","mdatp","--debug","-rI","../rules"],
-    "netwitness" : ["python","../tools/sigmac","-t","netwitness","--debug","-rI","../rules"],
-    "netwitness-epl" : ["python","../tools/sigmac","-t","netwitness-epl","--debug","-rI","../rules"],
-    "opensearch-monitor": ["python","../tools/sigmac","-t","opensearch-monitor","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
-    "powershell" : ["python","../tools/sigmac","-t","powershell","--debug","-rI","../rules"],
-    "qradar" : ["python","../tools/sigmac","-t","qradar","--debug","-rI","../rules"],
-    "qualys" : ["python","../tools/sigmac","-t","qualys","--debug","-rI","../rules"],
-    "sentinel-rule" : ["python","../tools/sigmac","-t","sentinel-rule","--debug","-rI","../rules"],
-    "splunk": ["python","../tools/sigmac","-t","splunk","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"],
-    "splunkdm": ["python","../tools/sigmac","-t","splunkdm","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"],
-    "splunkxml": ["python","../tools/sigmac","-t","splunkxml","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"],
-    "sql": ["python","../tools/sigmac","-t","sql","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "sqlite": ["python","../tools/sigmac","-t","sqlite","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"],
-    "stix": ["python","../tools/sigmac","-t","stix","-c","../tools/config/stix2.0.yml","--debug","-rI","../rules"],
-    "sumologic" : ["python","../tools/sigmac","-t","sumologic","--debug","-rI","../rules"],
-    "sumologic-cse" : ["python","../tools/sigmac","-t","sumologic-cse","--debug","-rI","../rules"],
-    "sumologic-cse-rule" : ["python","../tools/sigmac","-t","sumologic-cse-rule","--debug","-rI","../rules"],
-    "sysmon": ["python","../tools/sigmac","-t","stix","-c","../tools/config/sysmon.yml","--debug","-rI","../rules"],
-    "uberagent" : ["python","../tools/sigmac","-t","uberagent","--debug","-rI","../rules"],
-    "xpack-watcher": ["python","../tools/sigmac","-t","xpack-watcher","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"],
+    "ala": None,
+    "ala-rule": None,
+    "arcsight": "../tools/config/elk-winlogbeat.yml",
+    "arcsight-esm": "../tools/config/elk-winlogbeat.yml",
+    "carbonblack": "../tools/config/elk-winlogbeat.yml",
+    "chronicle": "../tools/config/elk-winlogbeat.yml",
+    "crowdstrike": "../tools/config/elk-winlogbeat.yml",
+    "csharp" : None,
+    "devo": "../tools/config/elk-winlogbeat.yml",
+    "ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml",
+    "elastalert": "../tools/config/winlogbeat-modules-enabled.yml",
+    "elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml",
+    "es-dsl": "../tools/config/winlogbeat-modules-enabled.yml",
+    "es-eql": "../tools/config/winlogbeat-modules-enabled.yml",
+    "es-qs": "../tools/config/winlogbeat-modules-enabled.yml",
+    "es-qs-lr": "../tools/config/logrhythm_winevent.yml",
+    "es-rule": "../tools/config/winlogbeat-modules-enabled.yml",
+    "es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml",
+    "fireeye-helix": "../tools/config/elk-winlogbeat.yml",
+    "graylog" : None,
+    "grep" : None,
+    "humio": "../tools/config/elk-winlogbeat.yml",
+    "kibana": "../tools/config/winlogbeat-modules-enabled.yml",
+    "kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml",
+    "lacework" : None,
+    "limacharlie" : None,
+    "logiq" : None,
+    "logpoint" : None,
+    "mdatp" : None,
+    "netwitness" : None,
+    "netwitness-epl" : None,
+    "opensearch-monitor": "../tools/config/winlogbeat.yml",
+    "powershell" : None,
+    "qradar" : None,
+    "qualys" : None,
+    "sentinel-rule" : None,
+    "splunk": "../tools/config/splunk-windows.yml",
+    "splunkdm": "../tools/config/splunk-windows.yml",
+    "splunkxml": "../tools/config/splunk-windows.yml",
+    "sql": "../tools/config/elk-winlogbeat.yml",
+    "sqlite": "../tools/config/elk-winlogbeat.yml",
+    "stix": "../tools/config/stix2.0.yml",
+    "sumologic" : None,
+    "sumologic-cse" : None,
+    "sumologic-cse-rule" : None,
+    "sysmon": "../tools/config/elk-windows.yml",
+    "uberagent" : None,
+    "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml",
     }
 
 print("""
 ███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███
 █▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼
 ▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█
-                    v1.0
+                  v1.1 bugfix
 please wait during the tests
 """)
+argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.")
+argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format")
+cmdargs = argparser.parse_args()
 
+if cmdargs.target == None:
+    print("No outpout use -h to see help")
+    exit()
+  
 #init dict of all rules
 default_key_test = {key : "NO TEST" for key in backend_dict.keys()}
 the_dico ={}
 rules = pathlib.Path("../rules").glob("**/*.yml")
 for rule in rules:
-    the_dico[rule.name] = default_key_test
+    the_dico[rule.name] = copy.deepcopy(default_key_test)
 
 #Check all the backend    
 for name,opt in backend_dict.items():
     print (f"check backend : {name}")
-    result = get_sigmac(opt)
+    result = get_sigmac(name,opt)
     update_dict(the_dico,result,name)
 
 #Save
-cover = pathlib.Path("sigmacover.yml")
-with cover.open("w") as f:
-    ruyaml.dump(the_dico, f, Dumper=ruyaml.RoundTripDumper)
-
+if cmdargs.target.lower() == "yaml":
+    cover = pathlib.Path("sigmacover.yml")
+    with cover.open("w") as file:
+        ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper)
+else:
+    cover = pathlib.Path("sigmacover.json")
+    with cover.open("w") as file:
+        json_dumps_str = json.dumps(the_dico, indent=4)
+        file.write(json_dumps_str)