SigmaHQ/README.md

[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)

![sigma_logo](./images/Sigma_0.3.png)

# Sigma
Generic Signature Format for SIEM Systems

# What is Sigma?

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.

This repository contains:

* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
* Open repository for sigma signatures in the ```./rules```subfolder
* A converter that generate searches/queries for different SIEM systems [work in progress]

## Hack.lu 2017 Talk

[![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

# Use Cases

* Describe your once discovered detection method in Sigma to make it sharable 
* Share the signature in the appendix of your analysis along with file hashes and C2 servers
* Share the signature in threat intel communities - e.g. via MISP
* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
* Integrate a new log into your SIEM and check the Sigma repository for available rules
* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
* Provide a free or commercial feed for Sigma signatures

# Sigma Converter

The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
following capabilities:

* Parsing of Sigma rule files
* Conversion of searches into Elasticsearch and Splunk queries

Planned main features are:

* Conversion of aggregation expressions (after the pipe character)
* Output of Kibana JSON configurations

Support for further SIEM solutions can be added by developing an corresponsing output backend class.

![sigma_description](./images/Sigma-description.png)

# Why Sigma

Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 

Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 

The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 

Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 

![sigma_why](./images/Problem_OSI_v01.png)

## Slides

See the first slide deck that I prepared for a private conference in mid January 2017.

[Sigma - Make Security Monitoring Great Again](https://www.slideshare.net/secret/gvgxeXoKblXRcA)

# Specification

The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). 

The current specification is a proposal. Feedback is requested.

# Examples

Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
![sigma_rule example2](./images/Sigma_rule_example2.png)

Sysmon: Remote Thread Creation in LSASS Process
![sigma_rule example1](./images/Sigma_rule_example1.png)

Web Server Access Logs: Web Shell Detection
![sigma_rule example3](./images/Sigma_rule_example3.png)

Sysmon: Web Shell Detection
![sigma_rule example4](./images/Sigma_rule_example4.png)

Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
![sigma_rule example5](./images/Sigma_rule_example5.png)

## Sigmac

The beta version of the rule converter 'sigmac' converting a non-correlation rule into an ElasticSearch query
![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)

## Supported Targets

* [Splunk](https://www.splunk.com/)
* [ElasticSearch](https://www.elastic.co/)
* [Logpoint](https://www.logpoint.com)

# Next Steps 

* Integration of feedback into the rule specifications
* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

# Projects that use Sigma

* [Augmentd](https://augmentd.co/)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)

# Credits

This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.   

Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
Changed Travis status image URL to main repository 2017-08-07 06:38:07 +00:00			`[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)`
formatting 2017-07-30 15:48:34 +00:00
Update README.md 2016-12-24 10:56:10 +00:00			`![sigma_logo](./images/Sigma_0.3.png)`

Update README.md 2016-12-26 01:23:34 +00:00			`# Sigma`
README Update 2017-02-06 19:03:57 +00:00			`Generic Signature Format for SIEM Systems`
Update README.md 2016-12-26 01:23:34 +00:00
			`# What is Sigma?`

Update README.md 2017-02-06 23:24:10 +00:00			`Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.`
Update README.md 2016-12-26 10:14:15 +00:00
Added Thomas' hack.lu talk 2017-10-18 13:51:58 +00:00			`Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.`
Update README.md 2016-12-26 01:23:34 +00:00
Update README.md 2017-02-06 23:24:10 +00:00			`This repository contains:`

			`* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)`
			* Open repository for sigma signatures in the ```./rules```subfolder
Merge branch 'master' into devel-sigmac 2017-02-19 21:15:18 +00:00			`* A converter that generate searches/queries for different SIEM systems [work in progress]`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
Added Thomas' hack.lu talk 2017-10-18 13:51:58 +00:00			`## Hack.lu 2017 Talk`

			`[![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")`

Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00			`# Use Cases`

			`* Describe your once discovered detection method in Sigma to make it sharable`
			`* Share the signature in the appendix of your analysis along with file hashes and C2 servers`
			`* Share the signature in threat intel communities - e.g. via MISP`
Update README.md 2017-03-01 07:55:06 +00:00			`* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations)`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00			`* Integrate a new log into your SIEM and check the Sigma repository for available rules`
			`* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically`
			`* Provide a free or commercial feed for Sigma signatures`

Merge branch 'master' into devel-sigmac 2017-02-19 21:15:18 +00:00			`# Sigma Converter`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
Merge branch 'master' into devel-sigmac 2017-02-19 21:15:18 +00:00			`The converter is currently under development in the devel-sigmac branch of this project. It has currently the`
			`following capabilities:`
Added Sigma converter skeleton * YAML parsing * argument parsing * empty backend classes 2017-02-13 22:14:40 +00:00
Merge branch 'master' into devel-sigmac 2017-02-19 21:15:18 +00:00			`* Parsing of Sigma rule files`
			`* Conversion of searches into Elasticsearch and Splunk queries`

			`Planned main features are:`

			`* Conversion of aggregation expressions (after the pipe character)`
			`* Output of Kibana JSON configurations`

			`Support for further SIEM solutions can be added by developing an corresponsing output backend class.`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
			`![sigma_description](./images/Sigma-description.png)`

			`# Why Sigma`

			`Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.`
Update README.md 2017-02-06 23:24:10 +00:00
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00			`Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived.`

			`The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage.`

			`Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone.`

			`![sigma_why](./images/Problem_OSI_v01.png)`

			`## Slides`
Update README.md 2017-02-06 23:24:37 +00:00
README Update 2017-02-06 19:03:57 +00:00			`See the first slide deck that I prepared for a private conference in mid January 2017.`

			`[Sigma - Make Security Monitoring Great Again](https://www.slideshare.net/secret/gvgxeXoKblXRcA)`

README Update Specs 1 2017-01-07 21:39:06 +00:00			`# Specification`

Update README.md 2017-02-06 23:24:10 +00:00			`The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).`
README Update 2017-02-06 19:03:57 +00:00
Update README.md 2017-03-01 07:55:06 +00:00			`The current specification is a proposal. Feedback is requested.`
README Update 2017-02-06 19:03:57 +00:00
New Screenshot Section in README 2017-02-12 16:10:48 +00:00			`# Examples`

			`Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)`
			`![sigma_rule example2](./images/Sigma_rule_example2.png)`

			`Sysmon: Remote Thread Creation in LSASS Process`
			`![sigma_rule example1](./images/Sigma_rule_example1.png)`

			`Web Server Access Logs: Web Shell Detection`
			`![sigma_rule example3](./images/Sigma_rule_example3.png)`

			`Sysmon: Web Shell Detection`
			`![sigma_rule example4](./images/Sigma_rule_example4.png)`

			`Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation`
			`![sigma_rule example5](./images/Sigma_rule_example5.png)`

Sigmac Screenshot 2017-03-01 07:48:39 +00:00			`## Sigmac`

			`The beta version of the rule converter 'sigmac' converting a non-correlation rule into an ElasticSearch query`
			`![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)`

Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00			`## Supported Targets`

			`* [Splunk](https://www.splunk.com/)`
			`* [ElasticSearch](https://www.elastic.co/)`
			`* [Logpoint](https://www.logpoint.com)`

Update README.md 2017-02-06 23:24:10 +00:00			`# Next Steps`
README Update Specs 1 2017-01-07 21:39:06 +00:00
Update README.md 2017-02-06 23:24:10 +00:00			`* Integration of feedback into the rule specifications`
Update README.md 2017-03-01 07:55:06 +00:00			`* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)`
New Screenshot Section in README 2017-02-12 16:10:48 +00:00			`* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00			`# Projects that use Sigma`

			`* [Augmentd](https://augmentd.co/)`
			`* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)`

Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00			`# Credits`

Update README.md 2017-03-01 07:55:06 +00:00			`This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
Link Bugfix 2017-02-19 10:09:32 +00:00			`Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)`