SigmaHQ/tools/sigmac.py

#!/usr/bin/env python3
# A Sigma to SIEM converter

import sys
import argparse
import yaml
import json
from sigma import SigmaParser, SigmaParseError
import backends

def print_verbose(*args, **kwargs):
    if cmdargs.verbose or cmdargs.debug:
        print(*args, **kwargs)

def print_debug(*args, **kwargs):
    if cmdargs.debug:
        print(*args, **kwargs)

argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
argparser.add_argument("--recurse", "-r", help="Recurse into subdirectories (not yet implemented)")
argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format")
argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats")
argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment (not yet implemented)")
argparser.add_argument("--output", "-o", help="Output file or filename prefix if multiple files are generated (not yet implemented)")
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
argparser.add_argument("--debug", "-d", action="store_true", help="Debugging output")
argparser.add_argument("inputs", nargs="*", help="Sigma input files")
cmdargs = argparser.parse_args()

if cmdargs.target_list:
    for backend in backends.getBackendList():
        print("%10s: %s" % (backend.identifier, backend.__doc__))
    sys.exit(0)

if cmdargs.recurse:
    print("--recurse/-r not yet implemented", file=sys.stderr)
    sys.exit(99)
if cmdargs.output:
    print("--output/-o not yet implemented", file=sys.stderr)
    sys.exit(99)
if cmdargs.config:
    print("--config/-c not yet implemented", file=sys.stderr)
    sys.exit(99)

try:
    backend = backends.getBackend(cmdargs.target)()
except LookupError as e:
    print("Backend not found!")
    sys.exit(1)

for sigmafile in cmdargs.inputs:
    print_verbose("* Processing Sigma input %s" % (sigmafile))
    try:
        f = open(sigmafile)
        parser = SigmaParser(f)
        print_debug("Parsed YAML:\n", json.dumps(parser.parsedyaml, indent=2))
        parser.parse_sigma()
        for condtoken in parser.condtoken:
            print_debug("Condition Tokens:", condtoken)
        for condparsed in parser.condparsed:
            print_debug("Condition Parse Tree:", condparsed)
            print(backend.generate(condparsed))
    except OSError as e:
        print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)))
    except yaml.parser.ParserError as e:
        print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)))
    except SigmaParseError as e:
        print("Sigma parse error in %s: %s" % (sigmafile, str(e)))
    except NotImplementedError as e:
        print("An unsupported feature is required for this Sigma rule: " + str(e))
        print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma")
    finally:
        f.close()
        print_debug()
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`#!/usr/bin/env python3`
			`# A Sigma to SIEM converter`

			`import sys`
			`import argparse`
			`import yaml`
			`import json`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`from sigma import SigmaParser, SigmaParseError`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`import backends`

			`def print_verbose(args, *kwargs):`
			`if cmdargs.verbose or cmdargs.debug:`
			`print(args, *kwargs)`

			`def print_debug(args, *kwargs):`
			`if cmdargs.debug:`
			`print(args, *kwargs)`

			`argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`argparser.add_argument("--recurse", "-r", help="Recurse into subdirectories (not yet implemented)")`
Set sigmac default backend to 'es-qs' 2017-03-01 08:40:51 +00:00			`argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats")`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment (not yet implemented)")`
			`argparser.add_argument("--output", "-o", help="Output file or filename prefix if multiple files are generated (not yet implemented)")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")`
			`argparser.add_argument("--debug", "-d", action="store_true", help="Debugging output")`
			`argparser.add_argument("inputs", nargs="*", help="Sigma input files")`
			`cmdargs = argparser.parse_args()`

			`if cmdargs.target_list:`
			`for backend in backends.getBackendList():`
			`print("%10s: %s" % (backend.identifier, backend.__doc__))`
			`sys.exit(0)`

Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`if cmdargs.recurse:`
			`print("--recurse/-r not yet implemented", file=sys.stderr)`
			`sys.exit(99)`
			`if cmdargs.output:`
			`print("--output/-o not yet implemented", file=sys.stderr)`
			`sys.exit(99)`
			`if cmdargs.config:`
			`print("--config/-c not yet implemented", file=sys.stderr)`
			`sys.exit(99)`

Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`try:`
			`backend = backends.getBackend(cmdargs.target)()`
			`except LookupError as e:`
			`print("Backend not found!")`
			`sys.exit(1)`

Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`for sigmafile in cmdargs.inputs:`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`print_verbose("* Processing Sigma input %s" % (sigmafile))`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`try:`
			`f = open(sigmafile)`
Moved YAML parsing in SigmaParser class 2017-02-13 22:29:56 +00:00			`parser = SigmaParser(f)`
Parsing of search expressions * Tokenization * Building a parse tree * Aggregations not yet implemented 2017-02-22 21:47:12 +00:00			`print_debug("Parsed YAML:\n", json.dumps(parser.parsedyaml, indent=2))`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`parser.parse_sigma()`
sigmac: Condition Tokenizer 2017-02-16 22:58:44 +00:00			`for condtoken in parser.condtoken:`
Parsing of search expressions * Tokenization * Building a parse tree * Aggregations not yet implemented 2017-02-22 21:47:12 +00:00			`print_debug("Condition Tokens:", condtoken)`
			`for condparsed in parser.condparsed:`
			`print_debug("Condition Parse Tree:", condparsed)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`print(backend.generate(condparsed))`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`except OSError as e:`
			`print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)))`
			`except yaml.parser.ParserError as e:`
			`print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)))`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`except SigmaParseError as e:`
			`print("Sigma parse error in %s: %s" % (sigmafile, str(e)))`
			`except NotImplementedError as e:`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`print("An unsupported feature is required for this Sigma rule: " + str(e))`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`finally:`
			`f.close()`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`print_debug()`