2017-11-01 20:14:11 +00:00
|
|
|
.PHONY: test test-yaml test-sigmac
|
2018-10-02 20:17:03 +00:00
|
|
|
TMPOUT = $(shell tempfile||mktemp)
|
2018-07-20 21:30:32 +00:00
|
|
|
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
|
2017-12-08 21:54:40 +00:00
|
|
|
test: clearcov test-yaml test-sigmac test-merge build finish
|
2017-11-14 21:17:18 +00:00
|
|
|
|
|
|
|
clearcov:
|
|
|
|
rm -f .coverage
|
|
|
|
|
|
|
|
finish:
|
|
|
|
coverage report --fail-under=90
|
|
|
|
rm -f $(TMPOUT)
|
2017-08-07 12:05:55 +00:00
|
|
|
|
|
|
|
test-yaml:
|
2017-10-19 15:42:56 +00:00
|
|
|
yamllint rules
|
2017-08-07 12:05:55 +00:00
|
|
|
|
|
|
|
test-sigmac:
|
2018-11-04 22:28:40 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -h
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -l
|
2018-11-04 22:28:40 +00:00
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
|
2018-01-27 22:48:10 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
|
2018-05-18 13:53:25 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
|
2018-11-28 23:00:00 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
|
2018-07-02 21:20:02 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
|
2018-06-21 22:41:21 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
|
2018-04-06 15:36:11 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
|
2018-10-18 14:14:16 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
|
2018-06-07 20:36:06 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
|
2018-07-17 20:56:31 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
|
2018-06-07 21:33:47 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
|
2018-11-07 21:36:34 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
|
2018-12-10 21:36:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
|
2018-09-05 23:05:31 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
|
2018-10-15 13:24:18 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
|
2018-03-10 23:30:20 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
|
2018-03-10 23:30:20 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
|
2018-10-15 13:24:18 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
|
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
|
2018-10-16 12:53:12 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
|
2018-10-18 12:56:21 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
|
2018-10-18 14:14:16 +00:00
|
|
|
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
|
2017-12-08 22:50:08 +00:00
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
|
2018-06-07 21:32:52 +00:00
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
|
2017-11-14 21:17:18 +00:00
|
|
|
|
|
|
|
test-merge:
|
|
|
|
tests/test-merge.sh
|
2018-03-06 23:20:35 +00:00
|
|
|
! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
|
2017-12-07 23:44:15 +00:00
|
|
|
|
2018-04-03 21:02:40 +00:00
|
|
|
test-backend-es-qs:
|
2018-04-11 21:25:50 +00:00
|
|
|
tests/test-backend-es-qs.py
|
2018-04-03 21:02:40 +00:00
|
|
|
|
2017-12-08 22:50:08 +00:00
|
|
|
build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
|
2017-12-08 21:32:39 +00:00
|
|
|
cd tools && python3 setup.py bdist_wheel
|
2017-12-08 21:54:40 +00:00
|
|
|
|
2017-12-08 22:50:08 +00:00
|
|
|
upload-test: build
|
|
|
|
twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/*
|
|
|
|
|
|
|
|
upload: build
|
|
|
|
twine upload tools/dist/*
|
|
|
|
|
2017-12-08 21:54:40 +00:00
|
|
|
clean:
|
|
|
|
cd tools; rm -fr build dist Sigma.egg-info
|
|
|
|
find tools/ -type d -name __pycache__ -exec rm -fr {} \;
|