security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
7,749 Commits 1 Branch 57 Tags
f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1
Commit Graph

108 Commits

Author SHA1 Message Date
phantinuss abf40ecfbc fix: typo in URL 2021-08-31 12:50:11 +02:00
frack113 3eb3377a7b check valid date order 2021-08-26 06:51:37 +02:00
frack113 a4021842de Fix invalid tags 2021-08-25 09:15:57 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 c2302a15da fix cve tags 2021-08-24 10:10:45 +02:00
Austin Songer e039f91272 Spelling 2021-08-18 19:00:57 +00:00
frack113 76d956e110 update test_missing_id 2021-08-16 18:12:17 +02:00
frack113 3900ba9e2c add license test 2021-08-14 19:42:29 +02:00
frack113 db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113 e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
frack113 5e5ac8479c Add tlp and target Attribute 2021-08-11 14:26:20 +02:00
frack113 e098cdf3a1 fix url ref 2021-08-10 11:07:28 +02:00
frack113 ce17f8e9e2 add test_selection_list_one_value warning only 2021-08-10 10:21:22 +02:00
Florian Roth 9b7be5985e Merge pull request #1773 from phantinuss/master 
Two CobaltStrike BOF rules and a little fix on the local rule test script usage text
 2021-08-05 15:42:47 +02:00
Florian Roth 917b95d8ff fix: bash script bug 2021-07-30 08:51:38 +02:00
Florian Roth 5947dddcd2 feat: print the faulty rule as an error into cmdline 2021-07-30 08:24:06 +02:00
Florian Roth 7c78f40372 Merge pull request #1744 from gliptak/patch-3 
Add yamllint to GHA
 2021-07-28 16:24:33 +02:00
phantinuss 2866a1dbdc fix: change howto to match current state of code 2021-07-28 15:13:55 +02:00
frack113 6b076d4360 Add test_optional_author 2021-07-27 19:14:00 +02:00
Gábor Lipták d2592ee0b6 Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
 2021-07-26 21:26:16 -04:00
frack113 ffcd3a2112 Add test_optional_related test_optional_fields test_optional_falsepositives 2021-07-24 09:41:04 +02:00
frack113 aff5264096 Add check for status and level 2021-07-22 19:25:51 +02:00
frack113 fe20158f5e Update date and modified test 2021-07-21 18:28:47 +02:00
frack113 50c47a4ed0 check duplicate id 2021-07-17 10:32:29 +02:00
Florian Roth 02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth 526ab4f707 feat: trademark test case 2021-05-15 13:02:49 +02:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
mat b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth 051e2ce905 feat: detect duplicate tags 2020-07-27 11:37:58 +02:00
Ryan Plas de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth 71e66ea9ba refactor: tests use live data from MITRE's TAXI service 2020-07-14 17:54:02 +02:00
Florian Roth cf25b9c509 feat: filename test 2020-07-14 12:33:16 +02:00
Florian Roth 495376df77 refactor: references test without warnings for missing refs 2020-07-14 12:33:02 +02:00
Florian Roth bae979f5c7 refactor: ignore sub techniques as long as we do not have a complete list 2020-07-14 11:56:28 +02:00
Ryan Plas 9eb5d8da4d Add logsource attribute rule test 2020-07-13 17:02:28 -04:00
Florian Roth b3e15eea68 fix: nested check 2020-07-13 18:49:00 +02:00
Florian Roth 91c0bea570 fix: typo and reordered 2020-07-13 18:22:47 +02:00
Florian Roth 758f5039b5 fix: no error on rules without references 2020-07-13 18:16:32 +02:00
Florian Roth 8d91659c2a fix: typo in field value 2020-07-13 18:08:00 +02:00
Florian Roth 4c610ec693 feat: test references is list 2020-07-13 18:07:19 +02:00
Florian Roth 87ce5e5745 fix: missing MITRE ATT&CK IDs in test 2020-07-13 16:02:22 +02:00
Florian Roth ab40cdbbd7 fix: missing ATT&CK id 2020-07-01 09:57:35 +02:00
Florian Roth 912ad94771 fix: missing ATT&CK id in tests 2020-06-19 10:00:44 +02:00
Ivan Kirillov 69760f6446 Added subtechniques to MITRE_TECHNIQUES 2020-06-17 11:51:48 -06:00
ecco 327a53c120 add new test for sysmon rules without eventid 2020-05-23 10:25:37 -04:00
ecco 2b89e56054 fix test 2020-05-23 10:03:13 -04:00
Florian Roth 030898ba9c Merge branch 'master' into override-coverage 2020-05-02 14:22:03 +02:00
Maxime Thiebaut 4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](https://github.com/Neo23x0/sigma/blob/a805d18bbae60d3e4f291c8a18304104ed2e71c7/sigma-schema.rx.yml#L49)
 - [`sigma/tools/sigma/filter.py`](https://github.com/Neo23x0/sigma/blob/f3c60a63099f80296c8750aaba667e98ac71a4f7/tools/sigma/filter.py#L26)
 - [`sigma/tools/sigmac`](https://github.com/Neo23x0/sigma/blob/4e42bebb3480720966a59528cd8482c6271e603c/tools/sigmac#L98)

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00