security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1fbd2bba4dcddfa0223a1d34dea893be6d3f9913
blue-team-tools/tools/sigma/parser/modifiers/base.py
T
Thomas Patzke 1bb29dca26 Implemented type modifiers and regular expressions
2019-07-15 22:52:10 +02:00

85 lines
3.3 KiB
Python
Raw Blame History

# Sigma value modifiers
# Copyright 2019 Thomas Patzke, Florian Roth
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from enum import Enum, auto
from .exceptions import SigmaModifierValueTypeError
class SigmaModifierTypes(Enum):
NONE = auto()
TRANSFORM = auto()
TYPE = auto()
class SigmaModifier(object):
"""
Value modifier base class. There are two modifier types (with separate base classes):
identifier: identifier string that is used in Sigma rules to use modifier
active: boolean if modifier will be found by autodiscovery (and therefore usable)
modifier_type: type from SigmaModifierTypes enumeration
* Value transformation modifiers: the value or list of values is transformed to a different
value or a list of values. Base class: SigmaValueModifier
* Type modifiers: modify the type of the modifier, e.g. to support regular expressions. The
backend must handle these modifiers accordingly. Base class: SigmaTypeModifier
valid_input_types: list of valid input types. Can be expected Python type (like str, int) or
modifier class. object = don't care about type.
"""
identifier = "base"
active = False
modifier_type = SigmaModifierTypes.NONE
valid_input_types = (object,)
def __init__(self, value):
"""Initialize modifier class. Store value or result of value transformation."""
self.value = value
if not self.validate():
raise SigmaModifierValueTypeError
def validate(self):
"""Validate if modifier is applicable to value. Expects that value is stored in self.value."""
return any(( isinstance(self.value, t) for t in self.valid_input_types ))
def apply(self):
"""
Apply modifier to value. This method can:
* Return a transformed value
* Return a list of values
* Return an object from sigma.parser.condition that replaces the value in the condition tree
* Return a value that is used by dedicated type modifier code in the backend to get a final
query statement (only for type modifiers)
The base method simply returns the stored value.
"""
try:
return self.value.apply()
except AttributeError:
return self.value
class SigmaTransformModifier(SigmaModifier):
"""Transform a value into a different value or a list of values"""
identifier = "tansform_base"
modifier_type = SigmaModifierTypes.TRANSFORM
class SigmaTypeModifier(SigmaModifier):
"""Modify the type of the value. This must be handled by the backend."""
identifier = "type_base"
modifier_type = SigmaModifierTypes.TYPE
def apply(self):
return self
def __str__(self):
return str(self.value)
Reference in New Issue View Git Blame Copy Permalink