security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2357 from redsand/hawk_backend_fix_added_double_backslash_from_sigmac

Browse Source 
Fixing added backslashes that are generated by sigma backend
This commit is contained in:
Florian Roth
2021-12-01 15:11:32 +01:00
committed by GitHub
parent 0903b667c1 6927b0e69f
commit e43d7f7e0e
1 changed files with 30 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/hawk.py
+30 -22
View File
@@ -61,6 +61,7 @@ class HAWKBackend(SingleTextQueryBackend):
def generateNode(self, node, notNode=False):
#print(type(node))
#print(node)
#print("Not: ", notNode)
if type(node) == sigma.parser.condition.ConditionAND:
return self.generateANDNode(node, notNode)
elif type(node) == sigma.parser.condition.ConditionOR:
@@ -95,6 +96,8 @@ class HAWKBackend(SingleTextQueryBackend):
nodeRet['description'] = key
nodeRet['rule_id'] = str(uuid.uuid4())
value = self.generateValueNode(node, False).replace("*", "EEEESTAREEE")
if value[-2:] == "\\\\":
value = value[:-2]
value = re.escape(value)
value = value.replace("EEEESTAREEE", ".*")
if value[0:2] == ".*":
@@ -110,16 +113,6 @@ class HAWKBackend(SingleTextQueryBackend):
raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))
def generateANDNode(self, node, notNode=False):
"""
generated = [ self.generateNode(val) for val in node ]
filtered = [ g for g in generated if g is not None ]
if filtered:
if self.sort_condition_lists:
filtered = sorted(filtered)
return self.andToken.join(filtered)
else:
return None
"""
ret = { "id" : "and", "key": "And", "children" : [ ] }
generated = [ self.generateNode(val, notNode) for val in node ]
filtered = [ g for g in generated if g is not None ]
@@ -127,7 +120,6 @@ class HAWKBackend(SingleTextQueryBackend):
if self.sort_condition_lists:
filtered = sorted(filtered)
ret['children'] = filtered
# return json.dumps(ret)# self.orToken.join(filtered)
return ret
else:
return None
@@ -187,7 +179,7 @@ class HAWKBackend(SingleTextQueryBackend):
nodeRet['description'] = key
if key.lower() in ("logname","source"):
self.logname = value
elif type(value) == str and "*" in value:
if type(value) == str and "*" in value:
value = value.replace("*", "EEEESTAREEE")
value = re.escape(value)
value = value.replace("EEEESTAREEE", ".*")
@@ -199,32 +191,44 @@ class HAWKBackend(SingleTextQueryBackend):
nodeRet["args"]["comparison"]["value"] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
if value[-2:] == "\\\\":
value = value[:-2]
nodeRet['args']['str']['value'] = value
nodeRet['args']['str']['regex'] = "true"
# return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True))
#return json.dumps(nodeRet)
return nodeRet
elif type(value) is str:
#return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True))
if notNode:
nodeRet["args"]["comparison"]["value"] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
nodeRet['args']['str']['value'] = value
# return json.dumps(nodeRet)
return nodeRet
elif type(value) is int:
nodeRet['return'] = "int"
nodeRet['args']['int'] = { "value" : value }
if notNode:
nodeRet["args"]["comparison"]["value"] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
del nodeRet['args']['str']
#return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True))
#return json.dumps(nodeRet)
return nodeRet
else:
#return self.mapExpression % (self.cleanKey(key), self.generateNode(value))
nodeRet['args']['str']['value'] = value
if notNode:
nodeRet["args"]["comparison"]["value"] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
#return json.dumps(nodeRet)
return nodeRet
elif type(value) == list:
return self.generateMapItemListNode(key, value, notNode)
elif isinstance(value, SigmaTypeModifier):
return self.generateMapItemTypedNode(key, value)
return self.generateMapItemTypedNode(key, value, notNode)
elif value is None:
#return self.nullExpression % (key, )
#print("Performing null")
@@ -253,6 +257,10 @@ class HAWKBackend(SingleTextQueryBackend):
nodeRet['key'] = self.cleanKey(key).lower()
nodeRet['description'] = key
nodeRet['rule_id'] = str(uuid.uuid4())
if notNode:
nodeRet['args']['comparison']['value'] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
if item is None:
nodeRet['args']['str']['value'] = 'null'
ret['children'].append( nodeRet )
@@ -264,12 +272,15 @@ class HAWKBackend(SingleTextQueryBackend):
item = item[2:]
if item[-2:] == ".*":
item = item[:-2]
nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True)
if item[-2:] == "\\\\":
item = item[:-2]
nodeRet['args']['str']['value'] = item
nodeRet['args']['str']['regex'] = "true"
if notNode:
nodeRet["args"]["comparison"]["value"] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
#print(item)
ret['children'].append( nodeRet )
else:
nodeRet['args']['str']['value'] = self.generateValueNode(item, True)
@@ -292,6 +303,9 @@ class HAWKBackend(SingleTextQueryBackend):
value = value[2:]
if value[-2:] == ".*":
value = value[:-2]
# print(value)
if value[-2:] == "\\\\":
value = value[:-2]
nodeRet['args']['str']['value'] = value
nodeRet['args']['str']['regex'] = "true"
if notNode:
@@ -534,12 +548,6 @@ class HAWKBackend(SingleTextQueryBackend):
def generateQuery(self, parsed, sigmaparser):
self.sigmaparser = sigmaparser
result = self.generateNode(parsed.parsedSearch)
"""
if any("flow" in i for i in self.parsedlogsource):
aql_database = "flows"
else:
aql_database = "events"
"""
prefix = ""
ret = '[ { "id" : "and", "key": "And", "children" : ['
ret2 = ' ] } ]'