SigmaHQ/tools/sigmac

#!/usr/bin/env python3
# A Sigma to SIEM converter
# Copyright 2016-2017 Thomas Patzke, Florian Roth

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import sys
import argparse
import yaml
import json
import pathlib
import itertools
import logging
from sigma.parser import SigmaCollectionParser, SigmaCollectionParseError, SigmaParseError
from sigma.config import SigmaConfiguration, SigmaConfigParseError, SigmaRuleFilter, SigmaRuleFilterParseException
import sigma.backends as backends
import codecs

sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())

logger = logging.getLogger(__name__)

def print_verbose(*args, **kwargs):
    if cmdargs.verbose or cmdargs.debug:
        print(*args, **kwargs)

def print_debug(*args, **kwargs):
    if cmdargs.debug:
        print(*args, **kwargs)

def alliter(path):
    for sub in path.iterdir():
        if sub.name.startswith("."):
            continue
        if sub.is_dir():
            yield from alliter(sub)
        else:
            yield sub

def get_inputs(paths, recursive):
    if recursive:
        return list(itertools.chain.from_iterable([list(alliter(pathlib.Path(p))) for p in paths]))
    else:
        return [pathlib.Path(p) for p in paths]

class SigmacArgumentParser(argparse.ArgumentParser):
    def format_help(self):
        helptext = super().format_help() + "\nBackend options:\n"

        for backend in backends.getBackendList():
            if len(backend.options) > 0:
                helptext += "  " + backend.identifier + "\n"
                for option, default, help, _ in backend.options:
                    helptext += "    {:10}: {} (default: {})".format(option, help, default) + "\n"

        return helptext

argparser = SigmacArgumentParser(description="Convert Sigma rules into SIEM signatures.")
argparser.add_argument("--recurse", "-r", action="store_true", help="Recurse into subdirectories (not yet implemented)")
argparser.add_argument("--filter", "-f", help="""
Define comma-separated filters that must match (AND-linked) to rule to be processed.
Valid filters: level<=x, level>=x, level=x, status=y, logsource=z.
x is one of: low, medium, high, critical.
y is one of: experimental, testing, stable.
z is a word appearing in an arbitrary log source attribute.
Multiple log source specifications are AND linked.
        """)
argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format")
argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats")
argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment (not yet implemented)")
argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated (not yet implemented)")
argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
argparser.add_argument("--ignore-not-implemented", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules with not implemented features")
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
argparser.add_argument("inputs", nargs="*", help="Sigma input files")
cmdargs = argparser.parse_args()

if cmdargs.debug:
    logger.setLevel(logging.DEBUG)

if cmdargs.target_list:
    for backend in backends.getBackendList():
        print("%10s: %s" % (backend.identifier, backend.__doc__))
    sys.exit(0)
elif len(cmdargs.inputs) == 0:
    print("Nothing to do!")
    argparser.print_usage()

rulefilter = None
if cmdargs.filter:
    try:
        rulefilter = SigmaRuleFilter(cmdargs.filter)
    except SigmaRuleFilterParseException as e:
        print("Parse error in Sigma rule filter expression: %s" % str(e), file=sys.stderr)
        sys.exit(9)

out = sys.stdout
sigmaconfig = SigmaConfiguration()
if cmdargs.config:
    try:
        conffile = cmdargs.config
        f = open(conffile)
        sigmaconfig = SigmaConfiguration(f)
    except OSError as e:
        print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr)
        exit(5)
    except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
        print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr)
        exit(6)
    except SigmaConfigParseError as e:
        print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr)
        exit(7)

backend_options = backends.BackendOptions(cmdargs.backend_option)

try:
    backend = backends.getBackend(cmdargs.target)(sigmaconfig, backend_options, cmdargs.output)
    # not existing backend is already detected by argument parser
except IOError as e:
    print("Failed to open output file '%s': %s" % (cmdargs.output, str(e)), file=sys.stderr)
    exit(1)

error = 0
for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
    print_verbose("* Processing Sigma input %s" % (sigmafile))
    try:
        f = sigmafile.open(encoding='utf-8')
        parser = SigmaCollectionParser(f, sigmaconfig, rulefilter)
        parser.generate(backend)
    except OSError as e:
        print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
        error = 5
    except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
        print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
        error = 3
        if not cmdargs.defer_abort:
            sys.exit(error)
    except (SigmaParseError, SigmaCollectionParseError) as e:
        print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
        error = 4
        if not cmdargs.defer_abort:
            sys.exit(error)
    except backends.BackendError as e:
        print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
        error = 8
        if not cmdargs.defer_abort:
            sys.exit(error)
    except NotImplementedError as e:
        print("An unsupported feature is required for this Sigma rule: " + str(e), file=sys.stderr)
        print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)
        if not cmdargs.ignore_not_implemented:
            error = 42
            if not cmdargs.defer_abort:
                sys.exit(error)
    finally:
        try:
            f.close()
        except:
            pass
backend.finalize()

sys.exit(error)
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`#!/usr/bin/env python3`
			`# A Sigma to SIEM converter`
Re-licensing toolchain under LGPLv3 Thanks to Ben de Haan and Devin Ferguson for permission for this change. 2017-12-07 20:55:43 +00:00			`# Copyright 2016-2017 Thomas Patzke, Florian Roth`

			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`

			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Lesser General Public License for more details.`

			`# You should have received a copy of the GNU Lesser General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
			`import sys`
			`import argparse`
			`import yaml`
			`import json`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`import pathlib`
			`import itertools`
Added logging framework 2017-10-31 21:13:20 +00:00			`import logging`
Finished packaging and refactoring 2017-12-08 21:32:39 +00:00			`from sigma.parser import SigmaCollectionParser, SigmaCollectionParseError, SigmaParseError`
			`from sigma.config import SigmaConfiguration, SigmaConfigParseError, SigmaRuleFilter, SigmaRuleFilterParseException`
			`import sigma.backends as backends`
Fixed encoding issues Some OS environments don't use UTF-8 as default encoding. Enforced it for output files and stdout. 2017-12-12 23:12:56 +00:00			`import codecs`

			`sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
Added logging framework 2017-10-31 21:13:20 +00:00			`logger = logging.getLogger(__name__)`

Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`def print_verbose(args, *kwargs):`
			`if cmdargs.verbose or cmdargs.debug:`
			`print(args, *kwargs)`

			`def print_debug(args, *kwargs):`
			`if cmdargs.debug:`
			`print(args, *kwargs)`

Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`def alliter(path):`
			`for sub in path.iterdir():`
Skipping dotfiles 2017-12-14 21:39:51 +00:00			`if sub.name.startswith("."):`
			`continue`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`if sub.is_dir():`
			`yield from alliter(sub)`
			`else:`
			`yield sub`

			`def get_inputs(paths, recursive):`
			`if recursive:`
			`return list(itertools.chain.from_iterable([list(alliter(pathlib.Path(p))) for p in paths]))`
			`else:`
Bugfix: non-recursive list not pathlib.Path elements but strings 2017-03-07 08:41:46 +00:00			`return [pathlib.Path(p) for p in paths]`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00
sigmac: improved backend options * parsing in main class * help 2018-03-20 23:53:44 +00:00			`class SigmacArgumentParser(argparse.ArgumentParser):`
			`def format_help(self):`
			`helptext = super().format_help() + "\nBackend options:\n"`

			`for backend in backends.getBackendList():`
			`if len(backend.options) > 0:`
			`helptext += " " + backend.identifier + "\n"`
			`for option, default, help, _ in backend.options:`
			`helptext += " {:10}: {} (default: {})".format(option, help, default) + "\n"`

			`return helptext`

			`argparser = SigmacArgumentParser(description="Convert Sigma rules into SIEM signatures.")`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`argparser.add_argument("--recurse", "-r", action="store_true", help="Recurse into subdirectories (not yet implemented)")`
sigmac: Added rule filter 2017-11-01 23:02:15 +00:00			`argparser.add_argument("--filter", "-f", help="""`
			`Define comma-separated filters that must match (AND-linked) to rule to be processed.`
			`Valid filters: level<=x, level>=x, level=x, status=y, logsource=z.`
			`x is one of: low, medium, high, critical.`
			`y is one of: experimental, testing, stable.`
			`z is a word appearing in an arbitrary log source attribute.`
			`Multiple log source specifications are AND linked.`
			`""")`
Set sigmac default backend to 'es-qs' 2017-03-01 08:40:51 +00:00			`argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats")`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment (not yet implemented)")`
sigmac: Generic Text File Output Moved output logic into generic class. 2017-08-28 22:05:59 +00:00			`argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated (not yet implemented)")`
sigmac: X-Pack Watcher backend improvements * Renamed backend class according to convention * Output types: curl (default) and plain * Prefix of rule names * Indices from configuration * Support for multiple conditions per rule * Usage of parsed condition * Support for all condition operators * Fixed bug preventing from passing multiple options to backend * Added to CI tests 2017-09-21 22:28:35 +00:00			`argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")`
			`argparser.add_argument("--ignore-not-implemented", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules with not implemented features")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("inputs", nargs="*", help="Sigma input files")`
			`cmdargs = argparser.parse_args()`

Multiple rules per file * New wrapper class SigmaCollectionParser parses all YAML documents contained in file and handles multiple SigmaParser instantiation. * Exemplary extended one security/4688 rule to security/4688 + sysmon/1 2017-10-31 22:06:18 +00:00			`if cmdargs.debug:`
			`logger.setLevel(logging.DEBUG)`

Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`if cmdargs.target_list:`
			`for backend in backends.getBackendList():`
			`print("%10s: %s" % (backend.identifier, backend.__doc__))`
			`sys.exit(0)`
Finalizing PyPI release * Removed .py suffix from command line tools * sigmac tells when it does nothing and prints usage notice * Makefile upload target * minor changes 2017-12-08 22:50:08 +00:00			`elif len(cmdargs.inputs) == 0:`
			`print("Nothing to do!")`
			`argparser.print_usage()`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
sigmac: Added rule filter 2017-11-01 23:02:15 +00:00			`rulefilter = None`
			`if cmdargs.filter:`
			`try:`
			`rulefilter = SigmaRuleFilter(cmdargs.filter)`
			`except SigmaRuleFilterParseException as e:`
			`print("Parse error in Sigma rule filter expression: %s" % str(e), file=sys.stderr)`
			`sys.exit(9)`

Added --output/-o parameter to sigmac 2017-03-18 22:15:03 +00:00			`out = sys.stdout`
Field mappings 2017-03-06 21:07:04 +00:00			`sigmaconfig = SigmaConfiguration()`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`if cmdargs.config:`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`try:`
			`conffile = cmdargs.config`
			`f = open(conffile)`
Field mappings 2017-03-06 21:07:04 +00:00			`sigmaconfig = SigmaConfiguration(f)`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`except OSError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr)`
Improved test coverage 2017-10-19 15:42:56 +00:00			`exit(5)`
			`except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr)`
Improved test coverage 2017-10-19 15:42:56 +00:00			`exit(6)`
			`except SigmaConfigParseError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr)`
Improved test coverage 2017-10-19 15:42:56 +00:00			`exit(7)`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00
Added backend options * generic support for backend-specific options * kibana backend option for title prefix 2017-09-16 21:46:40 +00:00			`backend_options = backends.BackendOptions(cmdargs.backend_option)`

Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`try:`
Added backend options * generic support for backend-specific options * kibana backend option for title prefix 2017-09-16 21:46:40 +00:00			`backend = backends.getBackend(cmdargs.target)(sigmaconfig, backend_options, cmdargs.output)`
Improved test coverage 2017-10-19 15:42:56 +00:00			`# not existing backend is already detected by argument parser`
			`except IOError as e:`
sigmac: Generic Text File Output Moved output logic into generic class. 2017-08-28 22:05:59 +00:00			`print("Failed to open output file '%s': %s" % (cmdargs.output, str(e)), file=sys.stderr)`
			`exit(1)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`error = 0`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`print_verbose("* Processing Sigma input %s" % (sigmafile))`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`try:`
Fixed encoding issues Some OS environments don't use UTF-8 as default encoding. Enforced it for output files and stdout. 2017-12-12 23:12:56 +00:00			`f = sigmafile.open(encoding='utf-8')`
sigmac: Added rule filter 2017-11-01 23:02:15 +00:00			`parser = SigmaCollectionParser(f, sigmaconfig, rulefilter)`
Multiple rules per file * New wrapper class SigmaCollectionParser parses all YAML documents contained in file and handles multiple SigmaParser instantiation. * Exemplary extended one security/4688 rule to security/4688 + sysmon/1 2017-10-31 22:06:18 +00:00			`parser.generate(backend)`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`except OSError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)`
Changed sigmac error behavior on I/O errors 2017-08-07 06:54:18 +00:00			`error = 5`
Improved test coverage 2017-10-19 15:42:56 +00:00			`except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`error = 3`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
sigmac: Added rule filter 2017-11-01 23:02:15 +00:00			`except (SigmaParseError, SigmaCollectionParseError) as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`error = 4`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
Kibana backend throws exception when multiple indices appear * Introduced backend errors with handling in sigmac 2017-10-22 22:45:01 +00:00			`except backends.BackendError as e:`
			`print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)`
			`error = 8`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`except NotImplementedError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("An unsupported feature is required for this Sigma rule: " + str(e), file=sys.stderr)`
			`print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`if not cmdargs.ignore_not_implemented:`
			`error = 42`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`finally:`
Changed sigmac error behavior on I/O errors 2017-08-07 06:54:18 +00:00			`try:`
			`f.close()`
			`except:`
			`pass`
Further backend changes * backends get complete SigmaParser objects instead of condition * addition of finalize step for backends * Renaming of output classes 2017-09-03 22:56:04 +00:00			`backend.finalize()`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00
			`sys.exit(error)`