security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Linux Shell Evasion Rule Tuning (#1878)

Browse Source 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Colson Wilhoit
2022-03-29 09:16:21 -05:00
committed by Mika Ayenson
commit 150ff0502e
1059 changed files with 102941 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/backport.yml
+155
View File
@@ -0,0 +1,155 @@
name: backport
on:
pull_request_target:
branches:
- main
types:
- opened
- reopened
- unlabeled
- labeled
- closed
jobs:
label:
runs-on: ubuntu-latest
if: |
github.event.pull_request.state == 'open' && !github.event.pull_request.draft
steps:
- name: 'Apply default "backport: auto" label'
uses: actions/github-script@v4
if: |
!contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
!contains(github.event.pull_request.labels.*.name, 'backport: skip')
with:
script: |
github.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ['backport: auto']
})
- name: 'Remove "backport: auto" if "backport: skip" is set'
uses: actions/github-script@v4
if: |
contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
contains(github.event.pull_request.labels.*.name, 'backport: skip')
with:
script: |
github.issues.removeLabel({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
name: 'backport: auto'
})
commit:
if: |
github.event.pull_request.merged == true
&& contains(github.event.pull_request.labels.*.name, 'backport: auto')
&& (
(github.event.action == 'labeled' && github.event.label.name == 'backport: auto')
|| (github.event.action == 'closed')
)
runs-on: ubuntu-latest
strategy:
max-parallel: 1
matrix:
# 7.17 was intentionally skipped because it was added late and was bug fix only
target_branch: [7.13, 7.14, 7.15, 7.16, '8.0', 8.1]
steps:
- name: Checkout repo
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }}
ref: main
- name: Set github config
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
- name: Get branch histories
run: |
git fetch origin main --depth 100
git fetch origin ${{matrix.target_branch}} --depth 1
git status
git log -1 --format='%H'
- name: Checkout the commit into the staging area
run: |
# Checkout the merged commit
git checkout ${{github.event.pull_request.merge_commit_sha}}
# Move it to the staging area
git reset --soft HEAD^
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Prune non-${{matrix.target_branch}} rules
env:
UNSTAGED_LIST_FILE: "../unstaged-rules.txt"
run: |
python -m detection_rules dev unstage-incompatible-rules --target-stack-version ${{matrix.target_branch}}
# Track which rules were unstaged
git diff --name-only > $UNSTAGED_LIST_FILE
# Since they've been tracked, remove any untracked files
git checkout -- .
- name: Commit and push to ${{matrix.target_branch}}
env:
COMMIT_MSG_FILE: "../commit-message.txt"
UNSTAGED_LIST_FILE: "../unstaged-rules.txt"
run: |
set -x
echo "Switch to the target branch and keep the staged changes"
git checkout ${{matrix.target_branch}}
NEEDS_BACKPORT=$(git diff HEAD --quiet --exit-code && echo n || echo y)
if [ "n" = "$NEEDS_BACKPORT" ]
then
echo "No changes to backport"
exit 0
fi
echo "Create the new commit with the same author"
git commit --reuse-message ${{github.event.pull_request.merge_commit_sha}}
echo "Save the commit message"
git log ${{github.event.pull_request.merge_commit_sha}} --format=%B -n1 > $COMMIT_MSG_FILE
echo "Append to the commit message"
if [ -s "$UNSTAGED_LIST_FILE" ]
then
echo "Track note for the removed files"
echo "" >> $COMMIT_MSG_FILE
echo "Removed changes from:" >> $COMMIT_MSG_FILE
awk '{print "- " $0}' $UNSTAGED_LIST_FILE >> $COMMIT_MSG_FILE
echo "" >> $COMMIT_MSG_FILE
echo '(selectively cherry picked from commit ${{github.event.pull_request.merge_commit_sha}})' >> $COMMIT_MSG_FILE
else
echo "No removed files"
echo "" >> $COMMIT_MSG_FILE
echo '(cherry picked from commit ${{github.event.pull_request.merge_commit_sha}})' >> $COMMIT_MSG_FILE
fi
echo "Amend the commit message and push"
git commit --amend -F $COMMIT_MSG_FILE
git push
- name: "Notify slack on failure"
uses: craftech-io/slack-action@v1
with:
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
status: failure
if: failure()
.github/workflows/community.yml
+43
View File
@@ -0,0 +1,43 @@
name: Community
on:
pull_request_target:
types:
- opened
issues:
types:
- opened
jobs:
label:
runs-on: ubuntu-latest
steps:
- name: Check if member of elastic org
uses: actions/github-script@v4
id: membership
with:
github-token: ${{ secrets.READ_ORG_TOKEN }}
result-encoding: string
script: |
const result = await github.orgs.getMembershipForUser({
org: "elastic",
username: context.payload.sender.login
})
console.log(result.data.state)
if (result.data.state == "active"){
console.log("%s: detected as an active member of elastic org", context.payload.sender.login)
return "member"
} else {
console.log("%s: not detected as active member of elastic org", context.payload.sender.login)
return "notMember"
}
- name: Add label for community members
uses: actions/github-script@v4
if: ${{ steps.membership.outputs.result == 'notMember' }}
with:
script: |
github.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ['community']
})
.github/workflows/lock-versions.yml
+75
View File
@@ -0,0 +1,75 @@
name: lock-versions
on:
workflow_dispatch:
inputs:
branches:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '7.13,7.14,7.15,7.16,8.0,8.1'
jobs:
pr:
runs-on: ubuntu-latest
steps:
- name: Validate the source branch
uses: actions/github-script@v3
with:
script: |
if ('refs/heads/main' !== '${{github.event.ref}}') {
core.setFailed('Forbidden branch, expected "main"')
}
- name: Checkout detection-rules
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Build release package
run: |
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
git config --global user.name "protectionsmachine"
- name: Lock the versions
env:
BRANCHES: "${{github.event.inputs.branches}}"
run: |
./etc/lock-multiple.sh $BRANCHES
git add etc/version.lock.json
- name: Create Pull Request
uses: peter-evans/create-pull-request@v3
with:
assignees: '${{github.actor}}'
delete-branch: true
branch: "version-lock"
commit-message: "Locked versions for releases: ${{github.event.inputs.branches}}"
branch-suffix: "short-commit-hash"
title: 'Lock versions for releases: ${{github.event.inputs.branches}}'
body: |
Lock versions for releases: ${{github.event.inputs.branches}}.
- Autogenerated from job `lock-versions: pr`.
labels: "backport: auto"
- name: Archive production artifacts
uses: actions/upload-artifact@v2
with:
name: release-files
path: |
releases
.github/workflows/pythonpackage.yml
+59
View File
@@ -0,0 +1,59 @@
name: Unit Tests
on:
push:
branches: [ "main", "7.*", "8.*" ]
pull_request:
branches: [ "*" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Python Lint
run: |
python -m flake8 tests detection_rules --ignore D203 --max-line-length 120
- name: Python License Check
run: |
python -m detection_rules dev license-check
- name: Build release package
env:
# only generate the navigator files on push events to main
GENERATE_NAVIGATOR_FILES: "${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && '--generate-navigator' || ' ' }}"
run: |
python -m detection_rules dev build-release $GENERATE_NAVIGATOR_FILES
- name: Archive production artifacts for branch builds
uses: actions/upload-artifact@v2
if: |
github.event_name == 'push'
with:
name: release-files
path: |
releases
- name: Unit tests
run: |
python -m detection_rules test
- name: Update navigator gist files
env:
GITHUB_TOKEN: "${{ secrets.NAVIGATOR_GIST_TOKEN }}"
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
run: python -m detection_rules dev update-navigator-gists
.github/workflows/release-fleet.yml
+94
View File
@@ -0,0 +1,94 @@
name: release-fleet
on:
workflow_dispatch:
inputs:
target_repo:
description: 'Target repository to build a PR against'
required: true
default: 'elastic/integrations'
target_branch:
description: 'Target branch for PR base'
required: true
default: 'master'
draft:
description: 'Create a PR as draft (y/n)'
required: false
jobs:
fleet-pr:
runs-on: ubuntu-latest
steps:
- name: Validate the source branch
uses: actions/github-script@v3
with:
script: |
if ('refs/heads/main' === '${{github.ref}}') {
core.setFailed('Forbidden branch')
}
- name: Checkout detection-rules
uses: actions/checkout@v2
with:
path: detection-rules
- name: Checkout elastic/integrations
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }}
ref: ${{github.event.inputs.target_branch}}
repository: ${{github.event.inputs.target_repo}}
path: integrations
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install Python dependencies
run: |
cd detection-rules
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Build release package
run: |
cd detection-rules
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
git config --global user.name "protectionsmachine"
- name: Setup go
uses: actions/setup-go@v2
with:
go-version: '^1.16.0'
- name: Build elastic-package
run: |
go get github.com/elastic/elastic-package
- name: Create the PR to Integrations
env:
DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}"
TARGET_REPO: "${{github.event.inputs.target_repo}}"
TARGET_BRANCH: "${{github.event.inputs.target_branch}}"
LOCAL_REPO: "../integrations"
GITHUB_TOKEN: "${{ secrets.PROTECTIONS_MACHINE_TOKEN }}"
run: |
cd detection-rules
python -m detection_rules dev integrations-pr \
$LOCAL_REPO \
--github-repo $TARGET_REPO \
--base-branch $TARGET_BRANCH \
--assign ${{github.actor}} \
$DRAFT_ARGS
- name: Archive production artifacts
uses: actions/upload-artifact@v2
with:
name: release-files
path: |
detection-rules/releases
.github/workflows/release-kibana.yml
+71
View File
@@ -0,0 +1,71 @@
name: release-kibana
on:
workflow_dispatch:
inputs:
kibana_branch:
description: 'Target branch for a Kibana PR'
required: true
default: 'master'
labels:
description: 'Labels to assign to the PR (comma-separated)'
required: true
default: 'release_note:skip,release_note:enhancement,auto-backport'
draft:
description: 'Create a PR as draft (y/n)'
required: false
jobs:
kibana-pr:
runs-on: ubuntu-latest
steps:
- name: Checkout detection-rules
uses: actions/checkout@v2
with:
path: detection-rules
- name: Checkout Kibana
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }}
ref: ${{github.event.inputs.kibana_branch}}
repository: elastic/kibana
path: kibana
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install dependencies
run: |
cd detection-rules
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Build release package
run: |
cd detection-rules
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
git config --global user.name "protectionsmachine"
- name: Create the PR to Kibana
env:
DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}"
LABEL_ARGS: "--label ${{github.event.inputs.labels}}"
BRANCH_ARGS: "--base-branch ${{github.event.inputs.kibana_branch}}"
GITHUB_TOKEN: "${{ secrets.PROTECTIONS_MACHINE_TOKEN }}"
run: |
cd detection-rules
python -m detection_rules dev kibana-pr --assign ${{github.actor}} $LABEL_ARGS $DRAFT_ARGS $BRANCH_ARGS
- name: Archive production artifacts for branch builds
uses: actions/upload-artifact@v2
with:
name: release-files
path: |
detection-rules/releases