Example:

-O: attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file. ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex} ruleType: It's used to set rule id in XML rule. 1. Generate rule for one YML file a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=/opt/phoenix/data-definition/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml Output: <Rule group="PH_SYS_RULE_THREAT_HUNTING" id="PH_Rule_Windows_SIGMA_0" phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046"> <Name>Python Initiated Connection </Name> <IncidentTitle>Python Initiated Connection</IncidentTitle> <active>true</active> <Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description> <SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName> <CustomerScope groupByEachCustomer="true"> <Include all="true"/> <Exclude/> </CustomerScope> <IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7"> <ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList> </IncidentDef> <PatternClause window="300"> <SubPattern displayName="Filter" name="Filter"> <SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr> <GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr> <GroupEvtConstr> COUNT(*) >= 1 </GroupEvtConstr> </SubPattern> </PatternClause> <TriggerEventDisplay> <AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList> </TriggerEventDisplay> </Rule> 2. Generate rules for YML files under rules/windows a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=/opt/phoenix/data-definition/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml Generate rules for YML files under rules/windows 3. Find files that is modified after some date. a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/ Output: rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated rules/windows/wmi_event/TestFile.yml, No date
2022-02-14 15:03:41 -08:00
parent 0b263fec2a
commit b2f29afccb
3 changed files with 35 additions and 3 deletions
@@ -41,4 +41,4 @@ falsepositives:
 level: high
 tags:
    - attack.execution
-    - attack.t1059.005
+    - attack.t1059.005
@@ -743,8 +743,7 @@ class FortisemBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):

        res,errMsg = self.generateEvtConstrForOneLogsource(sigmaparser);
        if errMsg is not None:
-            print(self.ymlFileName)
-            print(errMsg)
+            print("%s, %s" % (self.ymlFileName, errMsg))
            return None

        result.add(res)
@@ -35,6 +35,8 @@ from sigma.backends.exceptions import BackendError, NotSupportedError, PartialMa
 from sigma.parser.modifiers import modifiers
 import codecs
 import copy
+import time
+import datetime

 sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())

@@ -111,6 +113,7 @@ def set_argparser():
            """)
    argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
    argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
+    argparser.add_argument("--lists-files-after-date", "-L",help="List yml files  which is modified/created after the date (Example of the date: 2022/02/01).")
    argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.")
    argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')")
    argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). 
@@ -148,6 +151,32 @@ def list_modifiers(modifiers):
    for modifier_id, modifier in modifiers.items():
        print("{:>10} : {}".format(modifier_id, modifier.__doc__))

+def get_fileName_after_date(inputs, recurse, date):
+    #date: 2021/05/06
+    #modified: 2021/11/30
+    dateTime = time.mktime(datetime.datetime.strptime(date, "%Y/%m/%d").timetuple())
+    for sigmafile in get_inputs(inputs, recurse):
+        f = sigmafile.open(encoding='utf-8')
+        yamls = yaml.safe_load_all(f)
+        datestr = None
+        modifiedstr = None
+        for data in yamls:
+            modifiedstr = data.get("modified", None)
+            datestr = data.get("date", None)
+            if not modifiedstr and not datestr:
+                continue;
+
+        if not modifiedstr and not datestr:
+            print("%s, No date" % sigmafile)
+            continue
+
+        if not modifiedstr:
+            modifiedstr = datestr
+
+        modified = time.mktime(datetime.datetime.strptime(modifiedstr, "%Y/%m/%d").timetuple())
+        if modified > dateTime:
+            print("%s, Updated" % sigmafile)
+
 def main():
    argparser = set_argparser()
    cmdargs = argparser.parse_args()
@@ -175,6 +204,10 @@ def main():
        argparser.print_usage()
        sys.exit(0)

+    if cmdargs.lists_files_after_date is not None:
+        get_fileName_after_date(cmdargs.inputs, cmdargs.recurse, cmdargs.lists_files_after_date)
+        sys.exit(0)
+
    if cmdargs.target is None:
        print("No target selected, select one with -t/--target")
        argparser.print_usage()