From 776cccce30475122431250b141ee917555c44e92 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 26 Sep 2021 17:07:58 +0200 Subject: [PATCH 1/2] Fix windows10 --- contrib/sigmacover.py | 124 ++++++++++++++++++++++++------------------ 1 file changed, 70 insertions(+), 54 deletions(-) diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py index 0976b809a..d498cae2b 100644 --- a/contrib/sigmacover.py +++ b/contrib/sigmacover.py @@ -6,11 +6,12 @@ Project: sigmacover.py Date: 26/09/2021 Author: frack113 -Version: 1.0 +Version: 1.1 Description: get cover of the rules vs backend It is more a POC than a script for the moment Requirements: + python 3.7 min $ pip install ruyaml Todo: - add output options @@ -24,11 +25,23 @@ import re import subprocess import pathlib import ruyaml +import copy - -def get_sigmac(options): +def get_sigmac(name,conf): infos = [] - ret = subprocess.run(options,) + if conf == None: + options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] + else: + options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + if not ret.returncode == 0: + print (f"error {ret.returncode} in sigmac") log = pathlib.Path("sigmac.log") with log.open() as f: lines = f.readlines() @@ -37,6 +50,9 @@ def get_sigmac(options): info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] infos.append(info) log.unlink() + dump = pathlib.Path("dump.txt") + if dump.exists(): + dump.unlink() return infos def update_dict(my_dict,my_data,backend): @@ -45,54 +61,54 @@ def update_dict(my_dict,my_data,backend): #the backend dict command line options backend_dict = { - "ala" : ["python","../tools/sigmac","-t","ala","--debug","-rI","../rules"], - "ala-rule" : ["python","../tools/sigmac","-t","ala-rule","--debug","-rI","../rules"], - "arcsight": ["python","../tools/sigmac","-t","arcsight","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "arcsight-esm": ["python","../tools/sigmac","-t","arcsight-esm","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "carbonblack": ["python","../tools/sigmac","-t","carbonblack","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "chronicle": ["python","../tools/sigmac","-t","chronicle","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "crowdstrike": ["python","../tools/sigmac","-t","crowdstrike","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "csharp" : ["python","../tools/sigmac","-t","csharp","--debug","-rI","../rules"], - "devo": ["python","../tools/sigmac","-t","devo","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "ee-outliers": ["python","../tools/sigmac","-t","ee-outliers","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "elastalert": ["python","../tools/sigmac","-t","elastalert","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "elastalert-dsl": ["python","../tools/sigmac","-t","elastalert-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-dsl": ["python","../tools/sigmac","-t","es-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-eql": ["python","../tools/sigmac","-t","es-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-qs": ["python","../tools/sigmac","-t","es-qs","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-qs-lr": ["python","../tools/sigmac","-t","es-qs-lr","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-rule": ["python","../tools/sigmac","-t","es-rule","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-rule-eql": ["python","../tools/sigmac","-t","es-rule-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "fireeye-helix": ["python","../tools/sigmac","-t","fireeye-helix","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "graylog" : ["python","../tools/sigmac","-t","graylog","--debug","-rI","../rules"], - "grep" : ["python","../tools/sigmac","-t","grep","--debug","-rI","../rules"], - "humio": ["python","../tools/sigmac","-t","humio","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "kibana": ["python","../tools/sigmac","-t","kibana","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "kibana-ndjson": ["python","../tools/sigmac","-t","kibana-ndjson","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "lacework" : ["python","../tools/sigmac","-t","lacework","--debug","-rI","../rules"], - "limacharlie" : ["python","../tools/sigmac","-t","limacharlie","--debug","-rI","../rules"], - "logiq" : ["python","../tools/sigmac","-t","logiq","--debug","-rI","../rules"], - "logpoint" : ["python","../tools/sigmac","-t","logpoint","--debug","-rI","../rules"], - "mdatp" : ["python","../tools/sigmac","-t","mdatp","--debug","-rI","../rules"], - "netwitness" : ["python","../tools/sigmac","-t","netwitness","--debug","-rI","../rules"], - "netwitness-epl" : ["python","../tools/sigmac","-t","netwitness-epl","--debug","-rI","../rules"], - "opensearch-monitor": ["python","../tools/sigmac","-t","opensearch-monitor","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "powershell" : ["python","../tools/sigmac","-t","powershell","--debug","-rI","../rules"], - "qradar" : ["python","../tools/sigmac","-t","qradar","--debug","-rI","../rules"], - "qualys" : ["python","../tools/sigmac","-t","qualys","--debug","-rI","../rules"], - "sentinel-rule" : ["python","../tools/sigmac","-t","sentinel-rule","--debug","-rI","../rules"], - "splunk": ["python","../tools/sigmac","-t","splunk","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "splunkdm": ["python","../tools/sigmac","-t","splunkdm","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "splunkxml": ["python","../tools/sigmac","-t","splunkxml","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "sql": ["python","../tools/sigmac","-t","sql","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "sqlite": ["python","../tools/sigmac","-t","sqlite","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "stix": ["python","../tools/sigmac","-t","stix","-c","../tools/config/stix2.0.yml","--debug","-rI","../rules"], - "sumologic" : ["python","../tools/sigmac","-t","sumologic","--debug","-rI","../rules"], - "sumologic-cse" : ["python","../tools/sigmac","-t","sumologic-cse","--debug","-rI","../rules"], - "sumologic-cse-rule" : ["python","../tools/sigmac","-t","sumologic-cse-rule","--debug","-rI","../rules"], - "sysmon": ["python","../tools/sigmac","-t","stix","-c","../tools/config/sysmon.yml","--debug","-rI","../rules"], - "uberagent" : ["python","../tools/sigmac","-t","uberagent","--debug","-rI","../rules"], - "xpack-watcher": ["python","../tools/sigmac","-t","xpack-watcher","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "ala": None, + "ala-rule": None, + "arcsight": "../tools/config/elk-winlogbeat.yml", + "arcsight-esm": "../tools/config/elk-winlogbeat.yml", + "carbonblack": "../tools/config/elk-winlogbeat.yml", + "chronicle": "../tools/config/elk-winlogbeat.yml", + "crowdstrike": "../tools/config/elk-winlogbeat.yml", + "csharp" : None, + "devo": "../tools/config/elk-winlogbeat.yml", + "ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs-lr": "../tools/config/logrhythm_winevent.yml", + "es-rule": "../tools/config/winlogbeat-modules-enabled.yml", + "es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "fireeye-helix": "../tools/config/elk-winlogbeat.yml", + "graylog" : None, + "grep" : None, + "humio": "../tools/config/elk-winlogbeat.yml", + "kibana": "../tools/config/winlogbeat-modules-enabled.yml", + "kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml", + "lacework" : None, + "limacharlie" : None, + "logiq" : None, + "logpoint" : None, + "mdatp" : None, + "netwitness" : None, + "netwitness-epl" : None, + "opensearch-monitor": "../tools/config/winlogbeat.yml", + "powershell" : None, + "qradar" : None, + "qualys" : None, + "sentinel-rule" : None, + "splunk": "../tools/config/splunk-windows.yml", + "splunkdm": "../tools/config/splunk-windows.yml", + "splunkxml": "../tools/config/splunk-windows.yml", + "sql": "../tools/config/elk-winlogbeat.yml", + "sqlite": "../tools/config/elk-winlogbeat.yml", + "stix": "../tools/config/stix2.0.yml", + "sumologic" : None, + "sumologic-cse" : None, + "sumologic-cse-rule" : None, + "sysmon": "../tools/config/sysmon.yml", + "uberagent" : None, + "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", } print(""" @@ -108,12 +124,12 @@ default_key_test = {key : "NO TEST" for key in backend_dict.keys()} the_dico ={} rules = pathlib.Path("../rules").glob("**/*.yml") for rule in rules: - the_dico[rule.name] = default_key_test + the_dico[rule.name] = copy.deepcopy(default_key_test) #Check all the backend for name,opt in backend_dict.items(): print (f"check backend : {name}") - result = get_sigmac(opt) + result = get_sigmac(name,opt) update_dict(the_dico,result,name) #Save From 8f99625a25b3a1137a47375fcaa4f293dfd3916a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 26 Sep 2021 18:28:07 +0200 Subject: [PATCH 2/2] Fix ubuntu 20 --- contrib/sigmacover.py | 53 ++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py index d498cae2b..3c33e4f2b 100644 --- a/contrib/sigmacover.py +++ b/contrib/sigmacover.py @@ -9,12 +9,10 @@ Author: frack113 Version: 1.1 Description: get cover of the rules vs backend - It is more a POC than a script for the moment Requirements: python 3.7 min $ pip install ruyaml Todo: - - add output options - clean code and bug - better use of subprocess.run - have idea @@ -25,7 +23,10 @@ import re import subprocess import pathlib import ruyaml +import json import copy +import platform +import argparse def get_sigmac(name,conf): infos = [] @@ -33,13 +34,21 @@ def get_sigmac(name,conf): options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] else: options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] - si = subprocess.STARTUPINFO() - si.dwFlags |= subprocess.STARTF_USESHOWWINDOW - ret = subprocess.run(options, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - startupinfo=si - ) + if platform.system() == "Windows": + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)" + else: + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + ) + my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)" if not ret.returncode == 0: print (f"error {ret.returncode} in sigmac") log = pathlib.Path("sigmac.log") @@ -47,7 +56,7 @@ def get_sigmac(name,conf): lines = f.readlines() for line in lines: if "Convertion Sigma input" in line: - info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] + info = re.findall(my_regex,line)[0] infos.append(info) log.unlink() dump = pathlib.Path("dump.txt") @@ -106,7 +115,7 @@ backend_dict = { "sumologic" : None, "sumologic-cse" : None, "sumologic-cse-rule" : None, - "sysmon": "../tools/config/sysmon.yml", + "sysmon": "../tools/config/elk-windows.yml", "uberagent" : None, "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", } @@ -115,10 +124,17 @@ print(""" ███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ █▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ ▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ - v1.0 + v1.1 bugfix please wait during the tests """) +argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.") +argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format") +cmdargs = argparser.parse_args() +if cmdargs.target == None: + print("No outpout use -h to see help") + exit() + #init dict of all rules default_key_test = {key : "NO TEST" for key in backend_dict.keys()} the_dico ={} @@ -133,7 +149,12 @@ for name,opt in backend_dict.items(): update_dict(the_dico,result,name) #Save -cover = pathlib.Path("sigmacover.yml") -with cover.open("w") as f: - ruyaml.dump(the_dico, f, Dumper=ruyaml.RoundTripDumper) - +if cmdargs.target.lower() == "yaml": + cover = pathlib.Path("sigmacover.yml") + with cover.open("w") as file: + ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper) +else: + cover = pathlib.Path("sigmacover.json") + with cover.open("w") as file: + json_dumps_str = json.dumps(the_dico, indent=4) + file.write(json_dumps_str)