security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd345d4c19137ffad5bedfc62a22cec8f2629709
sigma-rules/detection_rules/rule_loader.py
T

644 lines
24 KiB
Python
Raw Normal View History

Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
"""Load rule metadata transform between rule and api formats."""
import io
from collections import OrderedDict
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
from dataclasses import dataclass, field
Move Rule into a dataclass (#1029)
2021-03-24 10:24:32 -06:00
from pathlib import Path
Move etc under detection_rules (#1885)
2022-05-02 10:11:21 -04:00
from subprocess import CalledProcessError
from typing import Callable, Dict, Iterable, List, Optional, Union
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
import click
import pytoml
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
import json
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
from marshmallow.exceptions import ValidationError
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
from . import utils
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
from .mappings import RtaMappings
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
from .rule import (
DeprecatedRule, DeprecatedRuleContents, DictRule, TOMLRule, TOMLRuleContents
)
Remove dead code in the rule loader
2021-04-05 14:30:26 -06:00
from .schemas import definitions
Move etc under detection_rules (#1885)
2022-05-02 10:11:21 -04:00
from .utils import cached, get_path
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
[FR] Update utility path computation to use pathlib (#3699)
2024-05-23 17:36:51 -04:00
DEFAULT_RULES_DIR = get_path("rules")
DEFAULT_BBR_DIR = get_path("rules_building_block")
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
DEFAULT_DEPRECATED_DIR = DEFAULT_RULES_DIR / '_deprecated'
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
RTA_DIR = get_path("rta")
FILE_PATTERN = r'^([a-z0-9_])+\.(json|toml)$'
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def path_getter(value: str) -> Callable[[dict], bool]:
"""Get the path from a Python object."""
path = value.replace("__", ".").split(".")
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def callback(obj: dict):
for p in path:
if isinstance(obj, dict) and p in path:
obj = obj[p]
else:
return None
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return obj
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return callback
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def dict_filter(_obj: Optional[dict] = None, **critieria) -> Callable[[dict], bool]:
"""Get a callable that will return true if a dictionary matches a set of criteria.
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
* each key is a dotted (or __ delimited) path into a dictionary to check
* each value is a value or list of values to match
"""
critieria.update(_obj or {})
checkers = [(path_getter(k), set(v) if isinstance(v, (list, set, tuple)) else {v}) for k, v in critieria.items()]
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def callback(obj: dict) -> bool:
for getter, expected in checkers:
target_values = getter(obj)
target_values = set(target_values) if isinstance(target_values, (list, set, tuple)) else {target_values}
Add command to upload to kibana (#58)
2020-07-20 17:58:28 -04:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return bool(expected.intersection(target_values))
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return False
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return callback
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def metadata_filter(**metadata) -> Callable[[TOMLRule], bool]:
"""Get a filter callback based off rule metadata"""
flt = dict_filter(metadata)
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def callback(rule: TOMLRule) -> bool:
target_dict = rule.contents.metadata.to_dict()
return flt(target_dict)
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return callback
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
[Bug] Allow duplicative queries across different rule types (#704)
2020-12-08 23:16:59 +01:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
production_filter = metadata_filter(maturity="production")
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
def load_locks_from_tag(remote: str, tag: str) -> (str, dict, dict):
"""Loads version and deprecated lock files from git tag."""
import json
git = utils.make_git()
exists_args = ['ls-remote']
if remote:
exists_args.append(remote)
exists_args.append(f'refs/tags/{tag}')
assert git(*exists_args), f'tag: {tag} does not exist in {remote or "local"}'
fetch_tags = ['fetch']
if remote:
fetch_tags += [remote, '--tags', '-f', tag]
else:
fetch_tags += ['--tags', '-f', tag]
git(*fetch_tags)
commit_hash = git('rev-list', '-1', tag)
Move etc under detection_rules (#1885)
2022-05-02 10:11:21 -04:00
try:
version = json.loads(git('show', f'{tag}:detection_rules/etc/version.lock.json'))
except CalledProcessError:
# Adding resiliency to account for the old directory structure
version = json.loads(git('show', f'{tag}:etc/version.lock.json'))
try:
deprecated = json.loads(git('show', f'{tag}:detection_rules/etc/deprecated_rules.json'))
except CalledProcessError:
# Adding resiliency to account for the old directory structure
deprecated = json.loads(git('show', f'{tag}:etc/deprecated_rules.json'))
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
return commit_hash, version, deprecated
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
@dataclass
class BaseCollection:
"""Base class for collections."""
rules: list
def __len__(self):
"""Get the total amount of rules in the collection."""
return len(self.rules)
def __iter__(self):
"""Iterate over all rules in the collection."""
return iter(self.rules)
@dataclass
class DeprecatedCollection(BaseCollection):
"""Collection of loaded deprecated rule dicts."""
id_map: Dict[str, DeprecatedRule] = field(default_factory=dict)
file_map: Dict[Path, DeprecatedRule] = field(default_factory=dict)
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
name_map: Dict[str, DeprecatedRule] = field(default_factory=dict)
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
rules: List[DeprecatedRule] = field(default_factory=list)
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
def __contains__(self, rule: DeprecatedRule):
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
"""Check if a rule is in the map by comparing IDs."""
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
return rule.id in self.id_map
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
def filter(self, cb: Callable[[DeprecatedRule], bool]) -> 'RuleCollection':
"""Retrieve a filtered collection of rules."""
filtered_collection = RuleCollection()
for rule in filter(cb, self.rules):
filtered_collection.add_deprecated_rule(rule)
return filtered_collection
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
class RawRuleCollection(BaseCollection):
"""Collection of rules in raw dict form."""
__default = None
__default_bbr = None
def __init__(self, rules: Optional[List[dict]] = None, ext_patterns: Optional[List[str]] = None):
"""Create a new raw rule collection, with optional file ext pattern override."""
# ndjson is unsupported since it breaks the contract of 1 rule per file, so rules should be manually broken out
# first
self.ext_patterns = ext_patterns or ['*.toml', '*.json']
self.id_map: Dict[definitions.UUIDString, DictRule] = {}
self.file_map: Dict[Path, DictRule] = {}
self.name_map: Dict[definitions.RuleName, DictRule] = {}
self.rules: List[DictRule] = []
self.errors: Dict[Path, Exception] = {}
self.frozen = False
self._raw_load_cache: Dict[Path, dict] = {}
for rule in (rules or []):
self.add_rule(rule)
def __contains__(self, rule: DictRule):
"""Check if a rule is in the map by comparing IDs."""
return rule.id in self.id_map
def filter(self, cb: Callable[[DictRule], bool]) -> 'RawRuleCollection':
"""Retrieve a filtered collection of rules."""
filtered_collection = RawRuleCollection()
for rule in filter(cb, self.rules):
filtered_collection.add_rule(rule)
return filtered_collection
def _load_rule_file(self, path: Path) -> dict:
"""Load a rule file into a dictionary."""
if path in self._raw_load_cache:
return self._raw_load_cache[path]
if path.suffix == ".toml":
# use pytoml instead of toml because of annoying bugs
# https://github.com/uiri/toml/issues/152
# might also be worth looking at https://github.com/sdispater/tomlkit
raw_dict = pytoml.loads(path.read_text())
elif path.suffix == ".json":
raw_dict = json.loads(path.read_text())
elif path.suffix == ".ndjson":
raise ValueError('ndjson is not supported in RawRuleCollection. Break out the rules individually.')
else:
raise ValueError(f"Unsupported file type {path.suffix} for rule {path}")
self._raw_load_cache[path] = raw_dict
return raw_dict
def _get_paths(self, directory: Path, recursive=True) -> List[Path]:
"""Get all paths in a directory that match the ext patterns."""
paths = []
for pattern in self.ext_patterns:
paths.extend(sorted(directory.rglob(pattern) if recursive else directory.glob(pattern)))
return paths
def _assert_new(self, rule: DictRule):
"""Assert that a rule is new and can be added to the collection."""
id_map = self.id_map
file_map = self.file_map
name_map = self.name_map
assert not self.frozen, f"Unable to add rule {rule.name} {rule.id} to a frozen collection"
assert rule.id not in id_map, \
f"Rule ID {rule.id} for {rule.name} collides with rule {id_map.get(rule.id).name}"
assert rule.name not in name_map, \
f"Rule Name {rule.name} for {rule.id} collides with rule ID {name_map.get(rule.name).id}"
if rule.path is not None:
rule_path = rule.path.resolve()
assert rule_path not in file_map, f"Rule file {rule_path} already loaded"
file_map[rule_path] = rule
def add_rule(self, rule: DictRule):
"""Add a rule to the collection."""
self._assert_new(rule)
self.id_map[rule.id] = rule
self.name_map[rule.name] = rule
self.rules.append(rule)
def load_dict(self, obj: dict, path: Optional[Path] = None) -> DictRule:
"""Load a rule from a dictionary."""
rule = DictRule(contents=obj, path=path)
self.add_rule(rule)
return rule
def load_file(self, path: Path) -> DictRule:
"""Load a rule from a file."""
try:
path = path.resolve()
# use the default rule loader as a cache.
# if it already loaded the rule, then we can just use it from that
if self.__default is not None and self is not self.__default:
if path in self.__default.file_map:
rule = self.__default.file_map[path]
self.add_rule(rule)
return rule
obj = self._load_rule_file(path)
return self.load_dict(obj, path=path)
except Exception:
print(f"Error loading rule in {path}")
raise
def load_files(self, paths: Iterable[Path]):
"""Load multiple files into the collection."""
for path in paths:
self.load_file(path)
def load_directory(self, directory: Path, recursive=True, obj_filter: Optional[Callable[[dict], bool]] = None):
"""Load all rules in a directory."""
paths = self._get_paths(directory, recursive=recursive)
if obj_filter is not None:
paths = [path for path in paths if obj_filter(self._load_rule_file(path))]
self.load_files(paths)
def load_directories(self, directories: Iterable[Path], recursive=True,
obj_filter: Optional[Callable[[dict], bool]] = None):
"""Load all rules in multiple directories."""
for path in directories:
self.load_directory(path, recursive=recursive, obj_filter=obj_filter)
def freeze(self):
"""Freeze the rule collection and make it immutable going forward."""
self.frozen = True
@classmethod
def default(cls) -> 'RawRuleCollection':
"""Return the default rule collection, which retrieves from rules/."""
if cls.__default is None:
collection = RawRuleCollection()
collection.load_directory(DEFAULT_RULES_DIR)
collection.load_directory(DEFAULT_BBR_DIR)
collection.freeze()
cls.__default = collection
return cls.__default
@classmethod
def default_bbr(cls) -> 'RawRuleCollection':
"""Return the default BBR collection, which retrieves from building_block_rules/."""
if cls.__default_bbr is None:
collection = RawRuleCollection()
collection.load_directory(DEFAULT_BBR_DIR)
collection.freeze()
cls.__default_bbr = collection
return cls.__default_bbr
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
class RuleCollection(BaseCollection):
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
"""Collection of rule objects."""
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
__default = None
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 13:00:30 +00:00
__default_bbr = None
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def __init__(self, rules: Optional[List[TOMLRule]] = None):
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
from .version_lock import VersionLock
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self.id_map: Dict[definitions.UUIDString, TOMLRule] = {}
self.file_map: Dict[Path, TOMLRule] = {}
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
self.name_map: Dict[definitions.RuleName, TOMLRule] = {}
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self.rules: List[TOMLRule] = []
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
self.deprecated: DeprecatedCollection = DeprecatedCollection()
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
self.errors: Dict[Path, Exception] = {}
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self.frozen = False
self._toml_load_cache: Dict[Path, dict] = {}
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
self._version_lock: Optional[VersionLock] = None
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
for rule in (rules or []):
self.add_rule(rule)
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def __contains__(self, rule: TOMLRule):
"""Check if a rule is in the map by comparing IDs."""
return rule.id in self.id_map
def filter(self, cb: Callable[[TOMLRule], bool]) -> 'RuleCollection':
"""Retrieve a filtered collection of rules."""
filtered_collection = RuleCollection()
for rule in filter(cb, self.rules):
filtered_collection.add_rule(rule)
return filtered_collection
Add command to unstage incompatible rules from git (#1317)
2021-07-08 13:44:04 -06:00
@staticmethod
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
def deserialize_toml_string(contents: Union[bytes, str]) -> dict:
Add command to unstage incompatible rules from git (#1317)
2021-07-08 13:44:04 -06:00
return pytoml.loads(contents)
def _load_toml_file(self, path: Path) -> dict:
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
if path in self._toml_load_cache:
return self._toml_load_cache[path]
# use pytoml instead of toml because of annoying bugs
# https://github.com/uiri/toml/issues/152
# might also be worth looking at https://github.com/sdispater/tomlkit
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
with io.open(path, "r", encoding="utf-8") as f:
Add command to unstage incompatible rules from git (#1317)
2021-07-08 13:44:04 -06:00
toml_dict = self.deserialize_toml_string(f.read())
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self._toml_load_cache[path] = toml_dict
return toml_dict
def _get_paths(self, directory: Path, recursive=True) -> List[Path]:
return sorted(directory.rglob('*.toml') if recursive else directory.glob('*.toml'))
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
def _assert_new(self, rule: Union[TOMLRule, DeprecatedRule], is_deprecated=False):
if is_deprecated:
id_map = self.deprecated.id_map
file_map = self.deprecated.file_map
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
name_map = self.deprecated.name_map
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
else:
id_map = self.id_map
file_map = self.file_map
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
name_map = self.name_map
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
assert not self.frozen, f"Unable to add rule {rule.name} {rule.id} to a frozen collection"
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
assert rule.id not in id_map, \
[Bug] Fix AttributeError in RuleCollection dupe check (#1747)
2022-01-31 15:57:46 -09:00
f"Rule ID {rule.id} for {rule.name} collides with rule {id_map.get(rule.id).name}"
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
assert rule.name not in name_map, \
f"Rule Name {rule.name} for {rule.id} collides with rule ID {name_map.get(rule.name).id}"
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
if rule.path is not None:
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
rule_path = rule.path.resolve()
assert rule_path not in file_map, f"Rule file {rule_path} already loaded"
file_map[rule_path] = rule
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
def add_rule(self, rule: TOMLRule):
self._assert_new(rule)
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self.id_map[rule.id] = rule
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
self.name_map[rule.name] = rule
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self.rules.append(rule)
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
def add_deprecated_rule(self, rule: DeprecatedRule):
self._assert_new(rule, is_deprecated=True)
self.deprecated.id_map[rule.id] = rule
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
self.deprecated.name_map[rule.name] = rule
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
self.deprecated.rules.append(rule)
def load_dict(self, obj: dict, path: Optional[Path] = None) -> Union[TOMLRule, DeprecatedRule]:
# bypass rule object load (load_dict) and load as a dict only
if obj.get('metadata', {}).get('maturity', '') == 'deprecated':
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
contents = DeprecatedRuleContents.from_dict(obj)
contents.set_version_lock(self._version_lock)
deprecated_rule = DeprecatedRule(path, contents)
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
self.add_deprecated_rule(deprecated_rule)
return deprecated_rule
else:
contents = TOMLRuleContents.from_dict(obj)
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
contents.set_version_lock(self._version_lock)
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
rule = TOMLRule(path=path, contents=contents)
self.add_rule(rule)
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
return rule
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
def load_file(self, path: Path) -> Union[TOMLRule, DeprecatedRule]:
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
try:
path = path.resolve()
# use the default rule loader as a cache.
# if it already loaded the rule, then we can just use it from that
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
if self.__default is not None and self is not self.__default:
if path in self.__default.file_map:
rule = self.__default.file_map[path]
self.add_rule(rule)
return rule
elif path in self.__default.deprecated.file_map:
deprecated_rule = self.__default.deprecated.file_map[path]
self.add_deprecated_rule(deprecated_rule)
return deprecated_rule
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
Add command to unstage incompatible rules from git (#1317)
2021-07-08 13:44:04 -06:00
obj = self._load_toml_file(path)
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
return self.load_dict(obj, path=path)
except Exception:
print(f"Error loading rule in {path}")
raise
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
def load_git_tag(self, branch: str, remote: Optional[str] = None, skip_query_validation=False):
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
"""Load rules from a Git branch."""
Add delta command to determine changes to endpoint rules between tags (#1943)
2022-05-03 12:30:11 -08:00
from .version_lock import VersionLock, add_rule_types_to_lock
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
git = utils.make_git()
rules_dir = DEFAULT_RULES_DIR.relative_to(get_path("."))
Move version lock code to object for portability (#1553)
2021-11-15 08:46:12 -09:00
paths = git("ls-tree", "-r", "--name-only", branch, rules_dir).splitlines()
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
Add delta command to determine changes to endpoint rules between tags (#1943)
2022-05-03 12:30:11 -08:00
rule_contents = []
rule_map = {}
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
for path in paths:
path = Path(path)
if path.suffix != ".toml":
continue
contents = git("show", f"{branch}:{path}")
toml_dict = self.deserialize_toml_string(contents)
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
if skip_query_validation:
toml_dict['metadata']['query_schema_validation'] = False
Add delta command to determine changes to endpoint rules between tags (#1943)
2022-05-03 12:30:11 -08:00
rule_contents.append((toml_dict, path))
rule_map[toml_dict['rule']['rule_id']] = toml_dict
commit_hash, v_lock, d_lock = load_locks_from_tag(remote, branch)
v_lock_name_prefix = f'{remote}/' if remote else ''
v_lock_name = f'{v_lock_name_prefix}{branch}-{commit_hash}'
# For backwards compatibility with tagged branches that existed before the types were added and validation
# enforced, we will need to manually add the rule types to the version lock allow them to pass validation.
v_lock = add_rule_types_to_lock(v_lock, rule_map)
version_lock = VersionLock(version_lock=v_lock, deprecated_lock=d_lock, name=v_lock_name)
self._version_lock = version_lock
for rule_content in rule_contents:
toml_dict, path = rule_content
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
try:
self.load_dict(toml_dict, path)
except ValidationError as e:
self.errors[path] = e
continue
Add RuleCollection.load_git_branch (#1403)
2021-08-05 01:15:39 -06:00
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def load_files(self, paths: Iterable[Path]):
"""Load multiple files into the collection."""
for path in paths:
self.load_file(path)
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
def load_directory(self, directory: Path, recursive=True, obj_filter: Optional[Callable[[dict], bool]] = None):
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
paths = self._get_paths(directory, recursive=recursive)
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
if obj_filter is not None:
paths = [path for path in paths if obj_filter(self._load_toml_file(path))]
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
self.load_files(paths)
def load_directories(self, directories: Iterable[Path], recursive=True,
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
obj_filter: Optional[Callable[[dict], bool]] = None):
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
for path in directories:
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
self.load_directory(path, recursive=recursive, obj_filter=obj_filter)
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
def freeze(self):
"""Freeze the rule collection and make it immutable going forward."""
self.frozen = True
@classmethod
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
def default(cls) -> 'RuleCollection':
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
"""Return the default rule collection, which retrieves from rules/."""
if cls.__default is None:
collection = RuleCollection()
collection.load_directory(DEFAULT_RULES_DIR)
[FR] Add support for BBR rules to the rule loader (#2968)
2023-07-27 11:27:04 -05:00
collection.load_directory(DEFAULT_BBR_DIR)
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
collection.freeze()
cls.__default = collection
return cls.__default
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 13:00:30 +00:00
@classmethod
def default_bbr(cls) -> 'RuleCollection':
"""Return the default BBR collection, which retrieves from building_block_rules/."""
if cls.__default_bbr is None:
collection = RuleCollection()
collection.load_directory(DEFAULT_BBR_DIR)
collection.freeze()
cls.__default_bbr = collection
return cls.__default_bbr
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
def compare_collections(self, other: 'RuleCollection'
) -> (Dict[str, TOMLRule], Dict[str, TOMLRule], Dict[str, DeprecatedRule]):
"""Get the changes between two sets of rules."""
assert self._version_lock, 'RuleCollection._version_lock must be set for self'
assert other._version_lock, 'RuleCollection._version_lock must be set for other'
# we cannot trust the assumption that either of the versions or deprecated files were pre-locked, which means we
# have to perform additional checks beyond what is done in manage_versions
changed_rules = {}
new_rules = {}
newly_deprecated = {}
Add delta command to determine changes to endpoint rules between tags (#1943)
2022-05-03 12:30:11 -08:00
pre_versions_hash = utils.dict_hash(self._version_lock.version_lock.to_dict())
post_versions_hash = utils.dict_hash(other._version_lock.version_lock.to_dict())
pre_deprecated_hash = utils.dict_hash(self._version_lock.deprecated_lock.to_dict())
post_deprecated_hash = utils.dict_hash(other._version_lock.deprecated_lock.to_dict())
Autogenerate docs for integration package releases (#1567)
2022-01-26 21:19:03 -09:00
if pre_versions_hash == post_versions_hash and pre_deprecated_hash == post_deprecated_hash:
return changed_rules, new_rules, newly_deprecated
for rule in other:
if rule.contents.metadata.maturity != 'production':
continue
if rule.id not in self.id_map:
new_rules[rule.id] = rule
else:
pre_rule = self.id_map[rule.id]
if rule.contents.sha256() != pre_rule.contents.sha256():
changed_rules[rule.id] = rule
for rule in other.deprecated:
if rule.id not in self.deprecated.id_map:
newly_deprecated[rule.id] = rule
return changed_rules, new_rules, newly_deprecated
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
@cached
def load_github_pr_rules(labels: list = None, repo: str = 'elastic/detection-rules', token=None, threads=50,
[Bug] CLI Fixes (#1073)
2021-09-10 10:06:04 -08:00
verbose=True) -> (Dict[str, TOMLRule], Dict[str, TOMLRule], Dict[str, list]):
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
"""Load all rules active as a GitHub PR."""
from multiprocessing.pool import ThreadPool
from pathlib import Path
Move etc under detection_rules (#1885)
2022-05-02 10:11:21 -04:00
import pytoml
import requests
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
from .ghwrap import GithubClient
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
github = GithubClient(token=token)
repo = github.client.get_repo(repo)
labels = set(labels or [])
open_prs = [r for r in repo.get_pulls() if not labels.difference(set(list(lbl.name for lbl in r.get_labels())))]
Move Rule into a dataclass (#1029)
2021-03-24 10:24:32 -06:00
new_rules: List[TOMLRule] = []
modified_rules: List[TOMLRule] = []
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
errors: Dict[str, list] = {}
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
existing_rules = RuleCollection.default()
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
pr_rules = []
if verbose:
click.echo('Downloading rules from GitHub PRs')
def download_worker(pr_info):
pull, rule_file = pr_info
response = requests.get(rule_file.raw_url)
try:
raw_rule = pytoml.loads(response.text)
[Bug] CLI Fixes (#1073)
2021-09-10 10:06:04 -08:00
contents = TOMLRuleContents.from_dict(raw_rule)
rule = TOMLRule(path=rule_file.filename, contents=contents)
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
rule.gh_pr = pull
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
if rule in existing_rules:
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
modified_rules.append(rule)
else:
new_rules.append(rule)
except Exception as e:
errors.setdefault(Path(rule_file.filename).name, []).append(str(e))
for pr in open_prs:
pr_rules.extend([(pr, f) for f in pr.get_files()
if f.filename.startswith('rules/') and f.filename.endswith('.toml')])
pool = ThreadPool(processes=threads)
pool.map(download_worker, pr_rules)
pool.close()
pool.join()
[Bug] CLI Fixes (#1073)
2021-09-10 10:06:04 -08:00
new = OrderedDict([(rule.contents.id, rule) for rule in sorted(new_rules, key=lambda r: r.contents.name)])
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
modified = OrderedDict()
[Bug] CLI Fixes (#1073)
2021-09-10 10:06:04 -08:00
for modified_rule in sorted(modified_rules, key=lambda r: r.contents.name):
modified.setdefault(modified_rule.contents.id, []).append(modified_rule)
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
return new, modified, errors
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
rta_mappings = RtaMappings()
__all__ = (
[Rule Tuning] Fix inconsistent rule indexes (#974)
2021-03-05 11:16:02 -09:00
"FILE_PATTERN",
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
"DEFAULT_RULES_DIR",
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
"DEFAULT_BBR_DIR",
Add GitHub PR rule loader (#670)
2021-02-08 21:35:44 -09:00
"load_github_pr_rules",
Add DeprecatedCollection to RuleCollection to bypass validation (#1454)
2021-09-01 15:29:53 -08:00
"DeprecatedCollection",
"DeprecatedRule",
Refresh Kibana module with API updates (#3466)
2024-04-26 11:12:50 -06:00
"RawRuleCollection",
Add a RuleCollection object instead of a "loader" module (#1063)
2021-04-05 14:23:37 -06:00
"RuleCollection",
"metadata_filter",
"production_filter",
"dict_filter",
Add rule loader and dependencies
2020-06-29 23:17:38 -06:00
"rta_mappings"
)
Reference in New Issue Copy Permalink