From daf7ab5ff71c48aec9fab29a70c62a3fec310768 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 24 May 2020 22:41:38 +0200 Subject: [PATCH] Cleanup: removal of corelight_* backends --- Makefile | 1 - tools/sigma/backends/base.py | 30 --------------------------- tools/sigma/backends/elasticsearch.py | 19 +---------------- tools/sigma/backends/splunk.py | 8 +------ 4 files changed, 2 insertions(+), 56 deletions(-) diff --git a/Makefile b/Makefile index 7a2483fe5..1d36cd903 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,6 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t corelight_es-qs -c tools/config/ecs-zeek-corelight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 3db2f0e1c..1ef7e175a 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -328,33 +328,3 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): transformed from the original name given in the Sigma rule. """ return fieldname - -class CorelightQueryBackend: - def generate(self, sigmaparser): - lgs = sigmaparser.parsedyaml.get("logsource") - allow_types = { - 'category': - [ - 'proxy', 'firewall', 'webserver', 'accounting', 'dns' - ], - 'product': - [ - 'zeek', 'apache', 'netflow', 'firewall' - ], - 'service': [ - 'radius', 'kerberos', 'pe', 'ntlm', 'sip', 'syslog', 'ntp', - 'mqtt_subscribe', 'smb_files', 'irc', 'http2', 'rfb', - 'tunnel', 'socks', 'mqtt_publish', 'network', 'weird', - 'known_certs', 'traceroute', 'modbus', 'smtp_links', - 'ssl', 'known_hosts', 'software', 'smtp', 'tls', 'intel', - 'ssh', 'dce_rpc', 'x509', 'known_services', 'http', 'files', - 'gquic', 'ftp', 'dns', 'conn', 'dnp3', 'rdp', 'dpd', - 'known_modbus', 'conn_long', 'modbus_register_change', - 'mqtt_connect', 'pop3', 'mysql', 'notice', 'snmp', 'smb_mapping' - ] - } - for logsource_type, value in lgs.items(): - if allow_types.get(logsource_type) and value.lower() in allow_types.get(logsource_type): - return super().generate(sigmaparser) - lgs_text = ", ".join(["%s: %s" % (key, lgs.get(key)) for key in lgs.keys()]) - raise NotSupportedError("Corelight backend not supported logsources: %s." % lgs_text) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 7a298c3cf..88cdd9c6c 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -27,7 +27,7 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTyp from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression from sigma.config.mapping import ConditionalFieldMapping -from .base import BaseBackend, SingleTextQueryBackend, CorelightQueryBackend +from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError @@ -298,11 +298,6 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca else: return super().generateSubexpressionNode(node) - -class ElasticsearchCorelightBackend(CorelightQueryBackend, ElasticsearchQuerystringBackend): - identifier = "corelight_es-qs" - - class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): """ElasticSearch DSL backend""" identifier = 'es-dsl' @@ -662,11 +657,6 @@ class KibanaBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): def index_variable_name(self, index): return "index_" + index.replace("-", "__").replace("*", "X") - -class KibanaCorelightBackend(CorelightQueryBackend, KibanaBackend): - identifier = "corelight_kibana" - - class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): """Converts Sigma Rule into X-Pack Watcher JSON for alerting""" identifier = "xpack-watcher" @@ -973,10 +963,6 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) raise NotImplementedError("Output type '%s' not supported" % self.output_type) return result -class XPackWatcherCorelightBackend(CorelightQueryBackend, XPackWatcherBackend): - identifier = "corelight_xpack-watcher" - - class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): """Elastalert backend""" active = True @@ -1334,6 +1320,3 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): if references: rule.update({"references": references}) return json.dumps(rule) - -class ElasticSearchRuleCorelightBackend(CorelightQueryBackend, ElasticSearchRuleBackend): - identifier = "corelight_elasticsearch-rule" diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 3efb3d2b5..75658343a 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -16,7 +16,7 @@ import re import sigma -from .base import SingleTextQueryBackend, CorelightQueryBackend +from .base import SingleTextQueryBackend from .mixins import MultiRuleOutputMixin class SplunkBackend(SingleTextQueryBackend): @@ -172,12 +172,6 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin): self.queries += self.dash_suf return self.queries - -class SplunkCorelightBackend(CorelightQueryBackend, SplunkBackend): - identifier = "corelight_splunk" - - - class CrowdStrikeBackend(SplunkBackend): """Converts Sigma rule into CrowdStrike Search Processing Language (SPL).""" identifier = "crowdstrike"