SigmaHQ/tools/sigmac.py

#!/usr/bin/env python3
# A Sigma to SIEM converter

import sys
import argparse
import yaml
import json
import pathlib
import itertools
from sigma import SigmaParser, SigmaParseError, SigmaConfiguration, SigmaConfigParseError
import backends

def print_verbose(*args, **kwargs):
    if cmdargs.verbose or cmdargs.debug:
        print(*args, **kwargs)

def print_debug(*args, **kwargs):
    if cmdargs.debug:
        print(*args, **kwargs)

def alliter(path):
    for sub in path.iterdir():
        if sub.is_dir():
            yield from alliter(sub)
        else:
            yield sub

def get_inputs(paths, recursive):
    if recursive:
        return list(itertools.chain.from_iterable([list(alliter(pathlib.Path(p))) for p in paths]))
    else:
        return [pathlib.Path(p) for p in paths]

argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
argparser.add_argument("--recurse", "-r", action="store_true", help="Recurse into subdirectories (not yet implemented)")
argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format")
argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats")
argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment (not yet implemented)")
argparser.add_argument("--output", "-o", help="Output file or filename prefix if multiple files are generated (not yet implemented)")
argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
argparser.add_argument("--ignore-not-implemented", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules with not implemented features")
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
argparser.add_argument("inputs", nargs="*", help="Sigma input files")
cmdargs = argparser.parse_args()

if cmdargs.target_list:
    for backend in backends.getBackendList():
        print("%10s: %s" % (backend.identifier, backend.__doc__))
    sys.exit(0)

out = sys.stdout
if cmdargs.output:
    try:
        out = open(cmdargs.output, mode='w')
    except IOError:
        print("Failed to open output file '%s': %s" % (cmdargs.output, str(e)), file=sys.stderr)
        exit(1)

sigmaconfig = SigmaConfiguration()
if cmdargs.config:
    try:
        conffile = cmdargs.config
        f = open(conffile)
        sigmaconfig = SigmaConfiguration(f)
    except OSError as e:
        print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr)
    except yaml.parser.ParserError as e:
        print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr)
    except SigmaParseError as e:
        print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr)

try:
    backend = backends.getBackend(cmdargs.target)(sigmaconfig)
except LookupError as e:
    print("Backend not found!", file=sys.stderr)
    sys.exit(2)

error = 0
for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
    print_verbose("* Processing Sigma input %s" % (sigmafile))
    try:
        f = sigmafile.open()
        parser = SigmaParser(f, sigmaconfig)
        print_debug("Parsed YAML:\n", json.dumps(parser.parsedyaml, indent=2))
        parser.parse_sigma()
        for condtoken in parser.condtoken:
            print_debug("Condition Tokens:", condtoken)
        for condparsed in parser.condparsed:
            print_debug("Condition Parse Tree:", condparsed)
            print(backend.generate(condparsed), file=out)
    except OSError as e:
        print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
    except yaml.parser.ParserError as e:
        print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
        error = 3
        if not cmdargs.defer_abort:
            sys.exit(error)
    except SigmaParseError as e:
        print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
        error = 4
        if not cmdargs.defer_abort:
            sys.exit(error)
    except NotImplementedError as e:
        print("An unsupported feature is required for this Sigma rule: " + str(e), file=sys.stderr)
        print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)
        if not cmdargs.ignore_not_implemented:
            error = 42
            if not cmdargs.defer_abort:
                sys.exit(error)
    finally:
        f.close()
        try:
            for condtoken in parser.condtoken:
                print_debug("Condition Tokens:", condtoken)
        except AttributeError:
            print_debug("Sigma rule didn't reached condition tokenization")
        print_debug()

sys.exit(error)
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`#!/usr/bin/env python3`
			`# A Sigma to SIEM converter`

			`import sys`
			`import argparse`
			`import yaml`
			`import json`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`import pathlib`
			`import itertools`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`from sigma import SigmaParser, SigmaParseError, SigmaConfiguration, SigmaConfigParseError`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`import backends`

			`def print_verbose(args, *kwargs):`
			`if cmdargs.verbose or cmdargs.debug:`
			`print(args, *kwargs)`

			`def print_debug(args, *kwargs):`
			`if cmdargs.debug:`
			`print(args, *kwargs)`

Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`def alliter(path):`
			`for sub in path.iterdir():`
			`if sub.is_dir():`
			`yield from alliter(sub)`
			`else:`
			`yield sub`

			`def get_inputs(paths, recursive):`
			`if recursive:`
			`return list(itertools.chain.from_iterable([list(alliter(pathlib.Path(p))) for p in paths]))`
			`else:`
Bugfix: non-recursive list not pathlib.Path elements but strings 2017-03-07 08:41:46 +00:00			`return [pathlib.Path(p) for p in paths]`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`argparser.add_argument("--recurse", "-r", action="store_true", help="Recurse into subdirectories (not yet implemented)")`
Set sigmac default backend to 'es-qs' 2017-03-01 08:40:51 +00:00			`argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats")`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment (not yet implemented)")`
			`argparser.add_argument("--output", "-o", help="Output file or filename prefix if multiple files are generated (not yet implemented)")`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")`
			`argparser.add_argument("--ignore-not-implemented", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules with not implemented features")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`argparser.add_argument("inputs", nargs="*", help="Sigma input files")`
			`cmdargs = argparser.parse_args()`

			`if cmdargs.target_list:`
			`for backend in backends.getBackendList():`
			`print("%10s: %s" % (backend.identifier, backend.__doc__))`
			`sys.exit(0)`

Added --output/-o parameter to sigmac 2017-03-18 22:15:03 +00:00			`out = sys.stdout`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`if cmdargs.output:`
Added --output/-o parameter to sigmac 2017-03-18 22:15:03 +00:00			`try:`
			`out = open(cmdargs.output, mode='w')`
			`except IOError:`
			`print("Failed to open output file '%s': %s" % (cmdargs.output, str(e)), file=sys.stderr)`
			`exit(1)`
Field mappings 2017-03-06 21:07:04 +00:00
			`sigmaconfig = SigmaConfiguration()`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00			`if cmdargs.config:`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`try:`
			`conffile = cmdargs.config`
			`f = open(conffile)`
Field mappings 2017-03-06 21:07:04 +00:00			`sigmaconfig = SigmaConfiguration(f)`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`except OSError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr)`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`except yaml.parser.ParserError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr)`
Parsing of sigmac configuration files * field mappings * log sources 2017-03-05 22:44:52 +00:00			`except SigmaParseError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr)`
Made not implemented sigmac features obvious * added notes to help message * error if not implemented option is used 2017-03-04 22:36:46 +00:00
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`try:`
Field mappings 2017-03-06 21:07:04 +00:00			`backend = backends.getBackend(cmdargs.target)(sigmaconfig)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00			`except LookupError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Backend not found!", file=sys.stderr)`
sigmac: return error codes 2017-07-30 22:31:49 +00:00			`sys.exit(2)`
Conversion to Elasticsearch Query Strings First version of sigmac that converts Sigma YAMLs without aggregations into ES Query Strings suitable for Kibana or other tools. 2017-02-22 21:47:12 +00:00
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`error = 0`
Sigmac recursive feature 2017-03-06 08:36:10 +00:00			`for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`print_verbose("* Processing Sigma input %s" % (sigmafile))`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`try:`
Finished path recursion 2017-03-06 20:26:56 +00:00			`f = sigmafile.open()`
Parsing log sources in configuration files 2017-03-12 22:12:21 +00:00			`parser = SigmaParser(f, sigmaconfig)`
Parsing of search expressions * Tokenization * Building a parse tree * Aggregations not yet implemented 2017-02-22 21:47:12 +00:00			`print_debug("Parsed YAML:\n", json.dumps(parser.parsedyaml, indent=2))`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`parser.parse_sigma()`
sigmac: Condition Tokenizer 2017-02-16 22:58:44 +00:00			`for condtoken in parser.condtoken:`
Parsing of search expressions * Tokenization * Building a parse tree * Aggregations not yet implemented 2017-02-22 21:47:12 +00:00			`print_debug("Condition Tokens:", condtoken)`
			`for condparsed in parser.condparsed:`
			`print_debug("Condition Parse Tree:", condparsed)`
Added --output/-o parameter to sigmac 2017-03-18 22:15:03 +00:00			`print(backend.generate(condparsed), file=out)`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`except OSError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`except yaml.parser.ParserError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`error = 3`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`except SigmaParseError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`error = 4`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`except NotImplementedError as e:`
Error and warning messages are printed to stderr 2017-03-06 22:01:33 +00:00			`print("An unsupported feature is required for this Sigma rule: " + str(e), file=sys.stderr)`
			`print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00			`if not cmdargs.ignore_not_implemented:`
			`error = 42`
			`if not cmdargs.defer_abort:`
			`sys.exit(error)`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00			`finally:`
			`f.close()`
Verbose mode prints tokens if parsing failed 2017-03-29 20:21:40 +00:00			`try:`
			`for condtoken in parser.condtoken:`
			`print_debug("Condition Tokens:", condtoken)`
			`except AttributeError:`
			`print_debug("Sigma rule didn't reached condition tokenization")`
Intermediate backup state: Parsing of most conditions * Conditions with parentheses cause exceptions 2017-02-22 21:43:35 +00:00			`print_debug()`
sigmac: added parameter to control error behavior * --defer-abort * --ignore-not-implemented 2017-08-01 22:56:22 +00:00
			`sys.exit(error)`