SigmaHQ/tools/backends.py

# Output backends for sigmac

import json
import re
import sigma

def getBackendList():
    """Return list of backend classes"""
    return list(filter(lambda cls: type(cls) == type and issubclass(cls, BaseBackend) and cls.active, [item[1] for item in globals().items()]))

def getBackendDict():
    return {cls.identifier: cls for cls in getBackendList() }

def getBackend(name):
    try:
        return getBackendDict()[name]
    except KeyError as e:
        raise LookupError("Backend not found") from e

class BaseBackend:
    """Base class for all backends"""
    identifier = "base"
    active = False

    def __init__(self, sigmaconfig):
        if not isinstance(sigmaconfig, (sigma.SigmaConfiguration, None)):
            raise TypeError("SigmaConfiguration object expected")
        self.sigmaconfig = sigmaconfig

    def generate(self, parsed):
        return self.generateNode(parsed.getParseTree())

    def generateNode(self, node):
        if type(node) == sigma.ConditionAND:
            return self.generateANDNode(node)
        elif type(node) == sigma.ConditionOR:
            return self.generateORNode(node)
        elif type(node) == sigma.ConditionNOT:
            return self.generateNOTNode(node)
        elif type(node) == sigma.NodeSubexpression:
            return self.generateSubexpressionNode(node)
        elif type(node) == tuple:
            return self.generateMapItemNode(node)
        elif type(node) in (str, int):
            return self.generateValueNode(node)
        elif type(node) == list:
            return self.generateListNode(node)
        else:
            raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))

    def generateANDNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

    def generateORNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

    def generateNOTNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

    def generateSubexpressionNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

    def generateListNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

    def generateMapItemNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

    def generateValueNode(self, node):
        raise NotImplementedError("Node type not implemented for this backend")

class ElasticsearchQuerystringBackend(BaseBackend):
    """Converts Sigma rule into Elasticsearch query string. Only searches, no aggregations."""
    identifier = "es-qs"
    active = True
    reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:\\\\/]|&&|\\|\\|)")
    reClear = re.compile("[<>]")

    def cleanValue(self, val):
        val = self.reEscape.sub("\\\\\g<1>", val)
        return self.reClear.sub("", val)

    def generateANDNode(self, node):
        return " AND ".join([self.generateNode(val) for val in node])

    def generateORNode(self, node):
        return " OR ".join([self.generateNode(val) for val in node])

    def generateNOTNode(self, node):
        return "NOT " + self.generateNode(node.item)

    def generateSubexpressionNode(self, node):
        return "(%s)" % self.generateNode(node.items)

    def generateListNode(self, node):
        if not set([type(value) for value in node]).issubset({str, int}):
            raise TypeError("List values must be strings or numbers")
        return "(%s)" % (" ".join([self.generateNode(value) for value in node]))

    def generateMapItemNode(self, node):
        key, value = node
        if type(value) not in (str, int, list):
            raise TypeError("Map values must be strings, numbers or lists, not " + str(type(value)))
        return "%s:%s" % (self.sigmaconfig.get_fieldmapping(key), self.generateNode(value))

    def generateValueNode(self, node):
        return "\"%s\"" % (self.cleanValue(str(node)))

class ElasticsearchDSLBackend(BaseBackend):
    """Converts Sigma rule into Elasticsearch DSL query (JSON)."""
    identifier = "es-dsl"
    active = False

class KibanaBackend(ElasticsearchDSLBackend):
    """Converts Sigma rule into Kibana JSON Configurations."""
    identifier = "kibana"
    active = False

class SplunkBackend(BaseBackend):
    """Converts Sigma rule into Splunk Search Processing Language (SPL)."""
    identifier = "splunk"
    active = True
    reEscape = re.compile('(["\\\\])')

    def cleanValue(self, val):
        return self.reEscape.sub("\\\\\g<1>", val)

    def generateANDNode(self, node):
        return " ".join([self.generateNode(val) for val in node])

    def generateORNode(self, node):
        return " OR ".join([self.generateNode(val) for val in node])

    def generateNOTNode(self, node):
        return "NOT " + self.generateNode(node.item)

    def generateSubexpressionNode(self, node):
        return "(%s)" % self.generateNode(node.items)

    def generateListNode(self, node):
        if not set([type(value) for value in node]).issubset({str, int}):
            raise TypeError("List values must be strings or numbers")
        return "(%s)" % (" ".join([self.generateNode(value) for value in node]))

    def generateMapItemNode(self, node):
        key, value = node
        if type(value) in (str, int):
            return '%s=%s' % (self.sigmaconfig.get_fieldmapping(key), self.generateNode(value))
        elif type(value) == list:
            return "(" + (" OR ".join(['%s=%s' % (self.sigmaconfig.get_fieldmapping(key), self.generateValueNode(item)) for item in value])) + ")"
        else:
            raise TypeError("Map values must be strings, numbers or lists, not " + str(type(value)))

    def generateValueNode(self, node):
        return "\"%s\"" % (self.cleanValue(str(node)))

class NullBackend(BaseBackend):
    """Does nothing, for debugging purposes."""
    identifier = "null"
    active = False

    def generate(self, parsed):
        pass
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`# Output backends for sigmac`

			`import json`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`import re`
			`import sigma`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
			`def getBackendList():`
			`"""Return list of backend classes"""`
			`return list(filter(lambda cls: type(cls) == type and issubclass(cls, BaseBackend) and cls.active, [item[1] for item in globals().items()]))`

			`def getBackendDict():`
			`return {cls.identifier: cls for cls in getBackendList() }`

Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`def getBackend(name):`
			`try:`
			`return getBackendDict()[name]`
			`except KeyError as e:`
			`raise LookupError("Backend not found") from e`

Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`class BaseBackend:`
			`"""Base class for all backends"""`
			`identifier = "base"`
			`active = False`

Field mappings 2017-03-06 21:07:04 +00:00			`def __init__(self, sigmaconfig):`
			`if not isinstance(sigmaconfig, (sigma.SigmaConfiguration, None)):`
			`raise TypeError("SigmaConfiguration object expected")`
			`self.sigmaconfig = sigmaconfig`

Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`def generate(self, parsed):`
			`return self.generateNode(parsed.getParseTree())`

			`def generateNode(self, node):`
			`if type(node) == sigma.ConditionAND:`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateANDNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`elif type(node) == sigma.ConditionOR:`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateORNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`elif type(node) == sigma.ConditionNOT:`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateNOTNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`elif type(node) == sigma.NodeSubexpression:`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateSubexpressionNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`elif type(node) == tuple:`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateMapItemNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`elif type(node) in (str, int):`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateValueNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`elif type(node) == list:`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`return self.generateListNode(node)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`else:`
			`raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`def generateANDNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`def generateORNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`def generateNOTNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`def generateSubexpressionNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`def generateListNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`def generateMapItemNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`def generateValueNode(self, node):`
			`raise NotImplementedError("Node type not implemented for this backend")`

			`class ElasticsearchQuerystringBackend(BaseBackend):`
			`"""Converts Sigma rule into Elasticsearch query string. Only searches, no aggregations."""`
			`identifier = "es-qs"`
			`active = True`
Fix: automatic escaping of * and ? in es-qs backend removed 2017-03-02 11:07:07 +00:00			`reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:\\\\/]\|&&\|\\\|\\\|)")`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00			`reClear = re.compile("[<>]")`

			`def cleanValue(self, val):`
			`val = self.reEscape.sub("\\\\\g<1>", val)`
			`return self.reClear.sub("", val)`

			`def generateANDNode(self, node):`
			`return " AND ".join([self.generateNode(val) for val in node])`

			`def generateORNode(self, node):`
			`return " OR ".join([self.generateNode(val) for val in node])`

			`def generateNOTNode(self, node):`
			`return "NOT " + self.generateNode(node.item)`

			`def generateSubexpressionNode(self, node):`
			`return "(%s)" % self.generateNode(node.items)`

			`def generateListNode(self, node):`
			`if not set([type(value) for value in node]).issubset({str, int}):`
			`raise TypeError("List values must be strings or numbers")`
			`return "(%s)" % (" ".join([self.generateNode(value) for value in node]))`

			`def generateMapItemNode(self, node):`
			`key, value = node`
			`if type(value) not in (str, int, list):`
			`raise TypeError("Map values must be strings, numbers or lists, not " + str(type(value)))`
Field mappings 2017-03-06 21:07:04 +00:00			`return "%s:%s" % (self.sigmaconfig.get_fieldmapping(key), self.generateNode(value))`
Moved node output into dedicated backend class methods 2017-03-01 20:47:51 +00:00
			`def generateValueNode(self, node):`
			`return "\"%s\"" % (self.cleanValue(str(node)))`

Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`class ElasticsearchDSLBackend(BaseBackend):`
			`"""Converts Sigma rule into Elasticsearch DSL query (JSON)."""`
			`identifier = "es-dsl"`
Deactivated not implemented backends 2017-03-02 21:55:45 +00:00			`active = False`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
			`class KibanaBackend(ElasticsearchDSLBackend):`
			`"""Converts Sigma rule into Kibana JSON Configurations."""`
			`identifier = "kibana"`
Deactivated not implemented backends 2017-03-02 21:55:45 +00:00			`active = False`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
			`class SplunkBackend(BaseBackend):`
			`"""Converts Sigma rule into Splunk Search Processing Language (SPL)."""`
			`identifier = "splunk"`
Added Splunk backend 2017-03-02 22:34:12 +00:00			`active = True`
Splunk specifics 2017-03-04 09:37:35 +00:00			`reEscape = re.compile('(["\\\\])')`
Added Splunk backend 2017-03-02 22:34:12 +00:00
			`def cleanValue(self, val):`
			`return self.reEscape.sub("\\\\\g<1>", val)`

			`def generateANDNode(self, node):`
Splunk specifics 2017-03-04 09:37:35 +00:00			`return " ".join([self.generateNode(val) for val in node])`
Added Splunk backend 2017-03-02 22:34:12 +00:00
			`def generateORNode(self, node):`
			`return " OR ".join([self.generateNode(val) for val in node])`

			`def generateNOTNode(self, node):`
			`return "NOT " + self.generateNode(node.item)`

			`def generateSubexpressionNode(self, node):`
			`return "(%s)" % self.generateNode(node.items)`

			`def generateListNode(self, node):`
			`if not set([type(value) for value in node]).issubset({str, int}):`
			`raise TypeError("List values must be strings or numbers")`
			`return "(%s)" % (" ".join([self.generateNode(value) for value in node]))`

			`def generateMapItemNode(self, node):`
			`key, value = node`
			`if type(value) in (str, int):`
Field mappings 2017-03-06 21:07:04 +00:00			`return '%s=%s' % (self.sigmaconfig.get_fieldmapping(key), self.generateNode(value))`
Added Splunk backend 2017-03-02 22:34:12 +00:00			`elif type(value) == list:`
Field mappings 2017-03-06 21:07:04 +00:00			`return "(" + (" OR ".join(['%s=%s' % (self.sigmaconfig.get_fieldmapping(key), self.generateValueNode(item)) for item in value])) + ")"`
Added Splunk backend 2017-03-02 22:34:12 +00:00			`else:`
			`raise TypeError("Map values must be strings, numbers or lists, not " + str(type(value)))`

			`def generateValueNode(self, node):`
			`return "\"%s\"" % (self.cleanValue(str(node)))`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
			`class NullBackend(BaseBackend):`
			`"""Does nothing, for debugging purposes."""`
			`identifier = "null"`
Deactivated not implemented backends 2017-03-02 21:55:45 +00:00			`active = False`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00
			`def generate(self, parsed):`
			`pass`