Merge PR #5708 from @nasbench - Multiple updates and issue fixes
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations. fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic chore: add sorting to the rule archiver script --------- Thanks: KingKDot Thanks: zambomarcell Thanks: Koifman Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
committed by
GitHub
GitHub
parent
02f7843bcf
commit
a77d3bae4b
@@ -9,6 +9,7 @@ import requests
|
||||
import yaml
|
||||
import os
|
||||
from datetime import datetime
|
||||
from typing import Generator
|
||||
|
||||
|
||||
WEB_ARCHIVE_SAVE_URL = "https://web.archive.org/save/"
|
||||
@@ -27,7 +28,7 @@ path_to_rules = [
|
||||
|
||||
|
||||
# Helper functions
|
||||
def yield_next_rule_file_path(path_to_rules: list) -> str:
|
||||
def yield_next_rule_file_path(path_to_rules: list) -> Generator[str, None, None]:
|
||||
for path_ in path_to_rules:
|
||||
for root, _, files in os.walk(path_):
|
||||
for file in files:
|
||||
@@ -103,6 +104,26 @@ def archive_references(ref_list):
|
||||
return already_archived, newly_archived_references, error_archiving
|
||||
|
||||
|
||||
def sort_references(file_path: str):
|
||||
"""Sort the references in the rule-references.txt file alphabetically."""
|
||||
try:
|
||||
with open(file_path, "r") as f:
|
||||
references = [line.strip() for line in f.readlines() if line.strip()]
|
||||
|
||||
# Sort references alphabetically (case-insensitive)
|
||||
references.sort(key=str.lower)
|
||||
|
||||
# Write the sorted references back to the file
|
||||
with open(file_path, "w") as f:
|
||||
for ref in references:
|
||||
f.write(ref + "\n")
|
||||
|
||||
print("References sorted successfully.")
|
||||
|
||||
except Exception as e:
|
||||
print(f"Error sorting references: {e}")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
print("Archiving references ...\n")
|
||||
|
||||
@@ -124,6 +145,10 @@ if __name__ == "__main__":
|
||||
f.write(ref)
|
||||
f.write("\n")
|
||||
|
||||
# Sort the references alphabetically at the end
|
||||
print("Sorting references...")
|
||||
sort_references("tests/rule-references.txt")
|
||||
|
||||
# Write markdown output to open the issue
|
||||
with open(".github/latest_archiver_output.md", "w") as f:
|
||||
f.write(f"# Reference Archiver Results\n\n")
|
||||
|
||||
Reference in New Issue
Block a user