From 5081c210b7bc537121bfaf5c134392c87257c654 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 15:51:05 +0200 Subject: [PATCH 1/4] add simple script --- tools/sigma/sigma_configurations_check.py | 56 +++++++++++++++++++++++ tools/sigma_configurations_check | 5 ++ 2 files changed, 61 insertions(+) create mode 100644 tools/sigma/sigma_configurations_check.py create mode 100644 tools/sigma_configurations_check diff --git a/tools/sigma/sigma_configurations_check.py b/tools/sigma/sigma_configurations_check.py new file mode 100644 index 000000000..6ab6924e6 --- /dev/null +++ b/tools/sigma/sigma_configurations_check.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python3 +# A simple Sigma Configurations checker +# Copyright frack113 + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import sigma.backends.discovery as backends +import ruamel.yaml +from pathlib import Path + +def main(): + list_backend =[] + for backend in sorted(backends.getBackendList(), key=lambda backend: backend.identifier): + list_backend.append(backend.identifier) + + print(f"Valid backend name are {list_backend}") + print('result tab:') + print('|Name file|Backend|check') + print('|---|---|---') + + valid = 0 + empty = 0 + faulty = 0 + yml_files =Path('config/').glob("*.yml") + for yml in yml_files: + with yml.open("r",encoding="UTF-8") as f: + data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader) + if 'backends' in data: + for backend in data['backends']: + if backend in list_backend: + print(f"|{yml.name:45} | {backend:30} | OK ") + valid += 1 + else: + print(f"|{yml.name:45} | {backend:30} | NOK") + faulty += 1 + else: + msg = "no backend set" + print(f"|{yml.name:45} | {msg:30} | - ") + empty += 1 + + print('Summary') + print(f'Valid : {valid} Invalid : {faulty} No Backend : {empty}') + +if __name__ == "__main__": + main() diff --git a/tools/sigma_configurations_check b/tools/sigma_configurations_check new file mode 100644 index 000000000..871d3713e --- /dev/null +++ b/tools/sigma_configurations_check @@ -0,0 +1,5 @@ +#!/usr/bin/env python3 + +from sigma.sigma_configurations_check import main + +main() From 365db5abbc371d5acc186aa7db21d08dd704879a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 15:54:08 +0200 Subject: [PATCH 2/4] fix bad elasticsearch-rule --- tools/config/ecs-auditd.yml | 1 - tools/config/ecs-dns.yml | 2 +- tools/config/ecs-filebeat.yml | 1 - tools/config/ecs-zeek-corelight.yml | 2 +- tools/config/ecs-zeek-elastic-beats-implementation.yml | 1 - tools/config/logstash-zeek-default-json.yml | 2 +- tools/config/winlogbeat-modules-enabled.yml | 1 - 7 files changed, 3 insertions(+), 7 deletions(-) diff --git a/tools/config/ecs-auditd.yml b/tools/config/ecs-auditd.yml index c5c9a0cc2..00c1c9398 100644 --- a/tools/config/ecs-auditd.yml +++ b/tools/config/ecs-auditd.yml @@ -11,7 +11,6 @@ backends: - xpack-watcher - elastalert - elastalert-dsl - - elasticsearch-rule - ee-outliers logsources: diff --git a/tools/config/ecs-dns.yml b/tools/config/ecs-dns.yml index aaa8e636a..c0c1f53be 100644 --- a/tools/config/ecs-dns.yml +++ b/tools/config/ecs-dns.yml @@ -3,7 +3,7 @@ order: 20 backends: - es-qs - es-dsl - - elasticsearch-rule + - es-rule - kibana - kibana-ndjson - xpack-watcher diff --git a/tools/config/ecs-filebeat.yml b/tools/config/ecs-filebeat.yml index dd85cc7a7..17d9990d7 100644 --- a/tools/config/ecs-filebeat.yml +++ b/tools/config/ecs-filebeat.yml @@ -11,7 +11,6 @@ backends: - xpack-watcher - elastalert - elastalert-dsl - - elasticsearch-rule - ee-outliers defaultindex: filebeat-* diff --git a/tools/config/ecs-zeek-corelight.yml b/tools/config/ecs-zeek-corelight.yml index 5bf7dab3b..8fd59d94e 100644 --- a/tools/config/ecs-zeek-corelight.yml +++ b/tools/config/ecs-zeek-corelight.yml @@ -5,7 +5,7 @@ backends: - es-qs - corelight_es-qs - es-dsl - - elasticsearch-rule + - es-rule - corelight_elasticsearch-rule - kibana - kibana-ndjson diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml index c79b4e892..9aeae994d 100644 --- a/tools/config/ecs-zeek-elastic-beats-implementation.yml +++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml @@ -4,7 +4,6 @@ backends: - es-qs - es-dsl - es-rule - - elasticsearch-rule - kibana - kibana-ndjson - xpack-watcher diff --git a/tools/config/logstash-zeek-default-json.yml b/tools/config/logstash-zeek-default-json.yml index e6b1d14ee..c4332f327 100644 --- a/tools/config/logstash-zeek-default-json.yml +++ b/tools/config/logstash-zeek-default-json.yml @@ -3,7 +3,7 @@ order: 20 backends: - es-qs - es-dsl - - elasticsearch-rule + - es-rule - kibana - kibana-ndjson - xpack-watcher diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index e43f5ef51..d46dd2051 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -11,7 +11,6 @@ backends: - xpack-watcher - elastalert - elastalert-dsl - - elasticsearch-rule - ee-outliers logsources: windows: From 72d301ba206b8de2a1efe4cd27f9be7ae29a3022 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 15:55:01 +0200 Subject: [PATCH 3/4] remove bad cb --- tools/config/carbon-black-eedr.yml | 1 - tools/config/carbon-black.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml index 0e7c4fff6..ae17afb8d 100644 --- a/tools/config/carbon-black-eedr.yml +++ b/tools/config/carbon-black-eedr.yml @@ -2,7 +2,6 @@ title: CarbonBlack Enterprise EDR order: 20 backends: - carbonblack - - cb fieldmappings: AccountName: - process_username diff --git a/tools/config/carbon-black.yml b/tools/config/carbon-black.yml index aaf7ae18a..56e33f8ed 100644 --- a/tools/config/carbon-black.yml +++ b/tools/config/carbon-black.yml @@ -2,7 +2,6 @@ title: CarbonBlack field mapping order: 20 backends: - carbonblack - - cb fieldmappings: AccountName: username CommandLine: cmdline From 88a59be69c2e8fbd00ef26762ee909b1ff012f04 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 18:13:16 +0200 Subject: [PATCH 4/4] Add options and return error code --- tools/sigma/sigma_configurations_check.py | 85 ++++++++++++++++------- 1 file changed, 59 insertions(+), 26 deletions(-) diff --git a/tools/sigma/sigma_configurations_check.py b/tools/sigma/sigma_configurations_check.py index 6ab6924e6..80d52d6bd 100644 --- a/tools/sigma/sigma_configurations_check.py +++ b/tools/sigma/sigma_configurations_check.py @@ -18,39 +18,72 @@ import sigma.backends.discovery as backends import ruamel.yaml from pathlib import Path - +from argparse import ArgumentParser +import sys +import csv + def main(): + argparser = ArgumentParser(description="A simple Sigma Configurations checker") + argparser.add_argument("--verify", "-V", action="store_true", help="Verify if configuration file have valid backend name") + argparser.add_argument("--sumary", "-s", action="store_true", help="Give some information.") + argparser.add_argument("--error", "-e", action="store_true", help="Exit with error code 10 on verification failures.") + argparser.add_argument("--output", "-o", default=None, help="Output csv file") + args = argparser.parse_args() + + passed = True + list_backend =[] for backend in sorted(backends.getBackendList(), key=lambda backend: backend.identifier): list_backend.append(backend.identifier) - print(f"Valid backend name are {list_backend}") - print('result tab:') - print('|Name file|Backend|check') - print('|---|---|---') + if args.sumary: + print(f"Backend found :\n{list_backend}\n") - valid = 0 - empty = 0 - faulty = 0 - yml_files =Path('config/').glob("*.yml") - for yml in yml_files: - with yml.open("r",encoding="UTF-8") as f: - data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader) - if 'backends' in data: - for backend in data['backends']: - if backend in list_backend: - print(f"|{yml.name:45} | {backend:30} | OK ") - valid += 1 - else: - print(f"|{yml.name:45} | {backend:30} | NOK") - faulty += 1 - else: - msg = "no backend set" - print(f"|{yml.name:45} | {msg:30} | - ") - empty += 1 + if args.verify: + csv_lst = [] + valid = 0 + empty = 0 + faulty = 0 + yml_files =Path('config/').glob("*.yml") + for yml in yml_files: + print(f"Check configurations file : {yml.name}") + with yml.open("r",encoding="UTF-8") as f: + data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader) + if 'backends' in data: + for backend in data['backends']: + if backend in list_backend: + csv_lst.append([yml.name,backend,'OK']) + valid += 1 + else: + csv_lst.append([yml.name,backend,'NOK']) + faulty += 1 + passed = False + else: + csv_lst.append([yml.name,"no backends section",'-']) + empty += 1 + #passed = False + #Should not be but not sure + + if args.sumary: + print('-------') + print('Summary') + print(f'Valid backend name: {valid}\nInvalid backend name: {faulty}\nFile with no Backend: {empty}') + print('-------') - print('Summary') - print(f'Valid : {valid} Invalid : {faulty} No Backend : {empty}') + if args.output: + with open(args.output, 'w', newline='') as csvfile: + spamwriter = csv.writer(csvfile, delimiter=';',quotechar='|', quoting=csv.QUOTE_MINIMAL) + spamwriter.writerow(['Configurations Name','Backend Name','Result']) + for row in csv_lst: + spamwriter.writerow(row) + + if not passed: + print("**************************************") + print("Some Configurations file are not valid") + print("**************************************") + if args.error: + exit(10) + if __name__ == "__main__": main()