security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,271 Commits 1 Branch 57 Tags
cc8a89b6792ba7671d45c255e3042fba5df7cadf
Commit Graph

146 Commits

Author SHA1 Message Date
Thomas Patzke 6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Thomas Patzke 8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Mo Amiri aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Thomas Patzke 73b0c3a25b Fixed wildcard issue for es-dsl backend 
Moved field mapping code into mixin shared by es-qs and es-dsl.
 2018-12-21 14:10:45 +01:00
Thomas Patzke ffd43823cf Fixed wildcard issue in es-qs backend and depending 
See GitHub issue #194. Fix for es-dsl is pending.
 2018-12-19 00:33:12 +01:00
Thomas Patzke 4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
juju4 1f707cb37c Adding Sumologic backend 2018-12-09 17:55:51 -05:00
Thomas Patzke 2091c90538 Fixed ElastAlert *_key options 
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
 2018-12-09 22:33:23 +01:00
Thomas Patzke 246ad7c59a Revert "Fixed wildcards in es-qs backend" 
This reverts commit 49d464f979.

The partial fix for issue #194 broke the generation of many other rules,
see #203.
 2018-12-05 09:07:07 +01:00
Thomas Patzke f9d9d653dc Merge pull request #199 from sisecbe/patch-1 
Distinct count in aggragation function
 2018-12-04 23:42:16 +01:00
Florian Roth 2bf0170956 Merge pull request #202 from tuckner/master 
Fixed backslash escape
 2018-12-03 22:22:53 +01:00
tuckner 2c5c92ab0a fixed backslash escape 2018-12-03 15:09:29 -06:00
lsoumille 50c74b94bc add elastalert backend support 2018-11-23 20:39:15 +01:00
sisecbe c848c473a3 Error when empty fields attribute 2018-11-23 15:37:42 +01:00
sisecbe 31eae25756 Indentation error 2018-11-23 15:20:17 +01:00
sisecbe e43909678e Added the fields attribute parser 
Make a table with the fields present in the fields attribute
 2018-11-23 15:11:12 +01:00
sisecbe c2eb87133d Distinct count in aggragation function 
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
 2018-11-23 15:04:08 +01:00
Thomas Patzke aa1a953a65 Moved node dumping code to generic location 2018-11-21 23:22:38 +01:00
Thomas Patzke 26d888aec3 Removed "not null" handling code 
Feature was removed some time ago.
 2018-11-21 22:56:48 +01:00
Thomas Patzke 9e28669c33 Backend es-qs return quotes on empty or whitespace-only string 2018-11-21 22:29:12 +01:00
Thomas Patzke 49d464f979 Fixed wildcards in es-qs backend 2018-11-20 23:23:54 +01:00
Thomas Patzke 396a030ed1 Removed duplicate code 2018-11-07 22:52:12 +01:00
Thomas Patzke 116a0e9f03 Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2018-11-07 22:27:41 +01:00
Thomas Patzke 5053cc4e95 Fixed optimizing of not conditions with subexpressions 
Optimization pass traversal is cut at ConditionNOT nodes.
 2018-11-07 13:54:45 +01:00
Thomas Patzke a88b1e81ec Optimizer debugging code cleanup 
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
 2018-11-07 13:49:08 +01:00
tuckner ca6ba4a85b Added NetWitness backend and tests 2018-10-31 14:24:14 -05:00
tuckner 26f73d60fa Added NetWitness backend and tests 2018-10-31 14:07:59 -05:00
Thomas Patzke eacfaa7460 Check for forbidden null values in list items in Splunk backend 2018-10-27 01:07:03 +02:00
Thomas Patzke 0cc8b77307 Merge branch 'master' of https://github.com/pivotforensics/sigma into pivotforensics-master 2018-10-18 15:56:26 +02:00
ntim e501c4a5b9 Added additional output type 'json' to the xpack-watcher backend which prints each watcher as compress json, one watcher per line 2018-10-17 10:38:56 +02:00
Michael H 5b33713ef8 Quick fix for string formatting bug 2018-10-13 20:21:37 -05:00
Michael H 38ec257f7e Re-doing LogName formatting 2018-10-13 20:18:57 -05:00
Michael H 9f48265eb1 Adding re.sub for LogName that accounts for expression grouping 2018-10-13 20:09:54 -05:00
Michael H aabaa0257b Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-10-06 20:12:15 -05:00
Michael H 4b85a34b34 Added CSV option to powershell backend 2018-10-06 20:08:20 -05:00
Daniel Roethlisberger fc45df144c Improve the comments on the optimizer 2018-10-03 13:44:03 +02:00
Daniel Roethlisberger 87aa1b5521 Move optimizer to sigma.parser.condition to enable it for all backends 2018-10-03 00:24:31 +02:00
Daniel Roethlisberger cd3661b60c Fix optimization of NOT corner cases 2018-10-02 22:48:33 +02:00
Daniel Roethlisberger bed88cf813 Make uniq work for lists within definitions 2018-10-02 22:12:54 +02:00
Daniel Roethlisberger 7165128fa5 Remove None from AST - fixes None-related test failures 2018-10-02 21:44:37 +02:00
Daniel Roethlisberger 2242fc5ac8 Optimize the boolean expressions in the AST before generating output 
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.

The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance.  This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.

The following optimizations are currently performed:

-   Removal of empty OR(), AND()
-   OR(X), AND(X)                 =>  X
-   OR(X, X, ...), AND(X, X, ...) =>  OR(X, ...), AND(X, ...)
-   OR(X, OR(Y))                  =>  OR(X, Y)
-   OR(AND(X, ...), AND(X, ...))  =>  AND(X, OR(AND(...), AND(...)))
-   NOT(NOT(X))                   =>  X

A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.

This implementation is not optimized for performance and will perform
poorly on very large expressions.
 2018-10-02 21:14:25 +02:00
Karneades 468af42de5 Add missing event id list handling in PowerShell backend 2018-09-29 14:43:28 +02:00
Karneades c289484c5c Improve default field handling in PowerShell backend 2018-09-29 12:29:44 +02:00
Karneades c66b00356d Add initial version of PowerShell backend 
* Add PowerShell backend
* Add PowerShell config file

State: Work in progress :)

See https://github.com/Neo23x0/sigma/issues/94
 2018-09-23 21:41:48 +02:00
Thomas Patzke f3c60a6309 Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00
Thomas Patzke 7f875af1ca Fixed WDATP backend 
It never generated any output due to missing return in generate()
method.
 2018-09-06 00:31:40 +02:00
James Dickenson 29bed766dd removed re-introduced output class from qradar backend. fixed list handling error. 2018-08-21 22:45:12 -07:00
James Dickenson 468f040c0a Merge branch 'qradar-dev' 2018-08-20 21:54:30 -07:00
James Dickenson 9a61f40cef added support flor flow data in qradar backend 2018-08-16 21:44:17 -07:00
James Dickenson a8d1831382 Added aggregation support for qradar backend 2018-08-13 23:04:10 -07:00