7e184f01c6
Removing invalid fieldmapping
2018-10-13 19:53:39 -05:00
bbb67fbba4
Adding support for reading sigma rule from stdin in sigmac
2018-10-07 10:11:47 -05:00
aabaa0257b
Merge branch 'master' of https://github.com/Neo23x0/sigma
2018-10-06 20:12:15 -05:00
4b85a34b34
Added CSV option to powershell backend
2018-10-06 20:08:20 -05:00
e28bc35cad
Apply field mappings in generation of log source condition
2018-10-06 23:38:35 +02:00
fc45df144c
Improve the comments on the optimizer
2018-10-03 13:44:03 +02:00
87aa1b5521
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:24:31 +02:00
cd3661b60c
Fix optimization of NOT corner cases
2018-10-02 22:48:33 +02:00
bed88cf813
Make uniq work for lists within definitions
2018-10-02 22:12:54 +02:00
7165128fa5
Remove None from AST - fixes None-related test failures
2018-10-02 21:44:37 +02:00
2242fc5ac8
Optimize the boolean expressions in the AST before generating output
...
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.
The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance. This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.
The following optimizations are currently performed:
- Removal of empty OR(), AND()
- OR(X), AND(X) => X
- OR(X, X, ...), AND(X, X, ...) => OR(X, ...), AND(X, ...)
- OR(X, OR(Y)) => OR(X, Y)
- OR(AND(X, ...), AND(X, ...)) => AND(X, OR(AND(...), AND(...)))
- NOT(NOT(X)) => X
A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.
This implementation is not optimized for performance and will perform
poorly on very large expressions.
2018-10-02 21:14:25 +02:00
468af42de5
Add missing event id list handling in PowerShell backend
2018-09-29 14:43:28 +02:00
c289484c5c
Improve default field handling in PowerShell backend
2018-09-29 12:29:44 +02:00
1c2431f33b
Merge pull request #169 from Karneades/fix-aggregation-exeption
...
Add rule filename to "not implemented" exception output
2018-09-26 11:50:25 +02:00
c66b00356d
Add initial version of PowerShell backend
...
* Add PowerShell backend
* Add PowerShell config file
State: Work in progress :)
See https://github.com/Neo23x0/sigma/issues/94
2018-09-23 21:41:48 +02:00
fe6f4c7475
Add rule filename to exception output for unsupported aggregation
2018-09-23 19:12:50 +02:00
1d12fc290c
Added Winlogbeat configuration
2018-09-20 12:08:11 +02:00
2fbf17ff34
Addition and resolution of field mapping chains explicitely checks for list
2018-09-13 16:22:29 +02:00
41a8ef2fd9
Implemented resolve_fieldname in FieldMappingChain
2018-09-13 14:56:31 +02:00
2330306db1
Added merged field mapping and log sources dict to config chain
2018-09-13 14:55:05 +02:00
ba76f04fe6
Merging of raw configurations in configuration chains
2018-09-13 13:49:36 +02:00
d81946df39
Stacked configurations
...
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration
Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
2018-09-12 23:40:22 +02:00
210f7ac044
Rewrote logsource definition merging to set generator
2018-09-12 22:29:51 +02:00
f3c60a6309
Added tag filtering to sigmac
2018-09-06 00:57:54 +02:00
7f875af1ca
Fixed WDATP backend
...
It never generated any output due to missing return in generate()
method.
2018-09-06 00:31:40 +02:00
1d7722c1cb
Added configuration and field mapping chains
...
Missing: field name mapping of log source conditions.
2018-08-27 00:17:27 +02:00
29bed766dd
removed re-introduced output class from qradar backend. fixed list handling error.
2018-08-21 22:45:12 -07:00
468f040c0a
Merge branch 'qradar-dev'
2018-08-20 21:54:30 -07:00
9a61f40cef
added support flor flow data in qradar backend
2018-08-16 21:44:17 -07:00
320bb9f8c4
Added rewrite config to generic sysmon configuration
2018-08-14 21:34:54 +02:00
430972231f
Added generic sysmon configuration with process_execution config
2018-08-14 21:34:54 +02:00
a8d1831382
Added aggregation support for qradar backend
2018-08-13 23:04:10 -07:00
dce4b4825d
Fixed aggregations without field name
...
Generated query contained field name "None".
2018-08-10 15:07:07 +02:00
e0b3f91b2a
Removed empty line
2018-08-08 23:15:13 +02:00
f8246e9f49
Removed "not implemented" hints for available options in sigmac
2018-08-04 23:31:29 +02:00
af9f636199
Removal of backend output classes
...
Breaking change: Instead of feeding the output class with the results,
they are now returned as strings (*Backend.generate()) or list
(SigmaCollectionParser.generate()). Users of the library must now take
care of the output to the terminal, files or wherever Sigma rules should
be pushed to.
2018-08-02 22:41:32 +02:00
1c9d0a176e
Moved const_start into class definition
2018-07-28 23:51:33 +02:00
df74460629
Fixed imports after config split
2018-07-27 23:54:18 +02:00
e02af9aa37
Merge config split branches
2018-07-27 23:16:50 +02:00
eb440b3357
Split config - code removal from configuration
2018-07-27 23:02:35 +02:00
36ada66007
Split config - Copy configuration
2018-07-27 23:01:41 +02:00
920c4b061d
Split config - code removal from filter
2018-07-27 22:35:30 +02:00
d235a9e017
Split config - Copy filter
2018-07-27 00:23:22 +02:00
50a6a92d20
Split config - code removal from exceptions
2018-07-27 00:17:35 +02:00
405bc4a0d1
Split config - Copy exception
2018-07-27 00:17:13 +02:00
096bc35447
Split config - code removal from mapping
2018-07-27 00:15:14 +02:00
4ffbb25960
Split config - Copy mapping
2018-07-27 00:13:19 +02:00
1c4c67053c
Fixes for parser split
...
* Fixed imports
* Rename
2018-07-27 00:02:07 +02:00
88a4a5d36a
Merge parser split branches
2018-07-26 23:42:09 +02:00
595327ace4
Split parser - code removal from condition
2018-07-26 23:40:22 +02:00
Michael H