Cleanup: removal of corelight_* backends
This commit is contained in:
Thomas Patzke
@@ -32,7 +32,6 @@ test-sigmac:
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t corelight_es-qs -c tools/config/ecs-zeek-corelight.yml rules/ > /dev/null
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
|
||||
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
|
||||
|
||||
@@ -328,33 +328,3 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
|
||||
transformed from the original name given in the Sigma rule.
|
||||
"""
|
||||
return fieldname
|
||||
|
||||
class CorelightQueryBackend:
|
||||
def generate(self, sigmaparser):
|
||||
lgs = sigmaparser.parsedyaml.get("logsource")
|
||||
allow_types = {
|
||||
'category':
|
||||
[
|
||||
'proxy', 'firewall', 'webserver', 'accounting', 'dns'
|
||||
],
|
||||
'product':
|
||||
[
|
||||
'zeek', 'apache', 'netflow', 'firewall'
|
||||
],
|
||||
'service': [
|
||||
'radius', 'kerberos', 'pe', 'ntlm', 'sip', 'syslog', 'ntp',
|
||||
'mqtt_subscribe', 'smb_files', 'irc', 'http2', 'rfb',
|
||||
'tunnel', 'socks', 'mqtt_publish', 'network', 'weird',
|
||||
'known_certs', 'traceroute', 'modbus', 'smtp_links',
|
||||
'ssl', 'known_hosts', 'software', 'smtp', 'tls', 'intel',
|
||||
'ssh', 'dce_rpc', 'x509', 'known_services', 'http', 'files',
|
||||
'gquic', 'ftp', 'dns', 'conn', 'dnp3', 'rdp', 'dpd',
|
||||
'known_modbus', 'conn_long', 'modbus_register_change',
|
||||
'mqtt_connect', 'pop3', 'mysql', 'notice', 'snmp', 'smb_mapping'
|
||||
]
|
||||
}
|
||||
for logsource_type, value in lgs.items():
|
||||
if allow_types.get(logsource_type) and value.lower() in allow_types.get(logsource_type):
|
||||
return super().generate(sigmaparser)
|
||||
lgs_text = ", ".join(["%s: %s" % (key, lgs.get(key)) for key in lgs.keys()])
|
||||
raise NotSupportedError("Corelight backend not supported logsources: %s." % lgs_text)
|
||||
|
||||
@@ -27,7 +27,7 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTyp
|
||||
from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression
|
||||
|
||||
from sigma.config.mapping import ConditionalFieldMapping
|
||||
from .base import BaseBackend, SingleTextQueryBackend, CorelightQueryBackend
|
||||
from .base import BaseBackend, SingleTextQueryBackend
|
||||
from .mixins import RulenameCommentMixin, MultiRuleOutputMixin
|
||||
from .exceptions import NotSupportedError
|
||||
|
||||
@@ -298,11 +298,6 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca
|
||||
else:
|
||||
return super().generateSubexpressionNode(node)
|
||||
|
||||
|
||||
class ElasticsearchCorelightBackend(CorelightQueryBackend, ElasticsearchQuerystringBackend):
|
||||
identifier = "corelight_es-qs"
|
||||
|
||||
|
||||
class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend):
|
||||
"""ElasticSearch DSL backend"""
|
||||
identifier = 'es-dsl'
|
||||
@@ -662,11 +657,6 @@ class KibanaBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
|
||||
def index_variable_name(self, index):
|
||||
return "index_" + index.replace("-", "__").replace("*", "X")
|
||||
|
||||
|
||||
class KibanaCorelightBackend(CorelightQueryBackend, KibanaBackend):
|
||||
identifier = "corelight_kibana"
|
||||
|
||||
|
||||
class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
|
||||
"""Converts Sigma Rule into X-Pack Watcher JSON for alerting"""
|
||||
identifier = "xpack-watcher"
|
||||
@@ -973,10 +963,6 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
|
||||
raise NotImplementedError("Output type '%s' not supported" % self.output_type)
|
||||
return result
|
||||
|
||||
class XPackWatcherCorelightBackend(CorelightQueryBackend, XPackWatcherBackend):
|
||||
identifier = "corelight_xpack-watcher"
|
||||
|
||||
|
||||
class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
|
||||
"""Elastalert backend"""
|
||||
active = True
|
||||
@@ -1334,6 +1320,3 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
|
||||
if references:
|
||||
rule.update({"references": references})
|
||||
return json.dumps(rule)
|
||||
|
||||
class ElasticSearchRuleCorelightBackend(CorelightQueryBackend, ElasticSearchRuleBackend):
|
||||
identifier = "corelight_elasticsearch-rule"
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
import re
|
||||
import sigma
|
||||
from .base import SingleTextQueryBackend, CorelightQueryBackend
|
||||
from .base import SingleTextQueryBackend
|
||||
from .mixins import MultiRuleOutputMixin
|
||||
|
||||
class SplunkBackend(SingleTextQueryBackend):
|
||||
@@ -172,12 +172,6 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
|
||||
self.queries += self.dash_suf
|
||||
return self.queries
|
||||
|
||||
|
||||
class SplunkCorelightBackend(CorelightQueryBackend, SplunkBackend):
|
||||
identifier = "corelight_splunk"
|
||||
|
||||
|
||||
|
||||
class CrowdStrikeBackend(SplunkBackend):
|
||||
"""Converts Sigma rule into CrowdStrike Search Processing Language (SPL)."""
|
||||
identifier = "crowdstrike"
|
||||
|
||||
Reference in New Issue
Block a user