2017-02-13 22:14:40 +00:00
|
|
|
# Output backends for sigmac
|
2018-07-23 22:01:16 +00:00
|
|
|
# Copyright 2016-2018 Thomas Patzke
|
2017-12-07 20:55:43 +00:00
|
|
|
|
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU Lesser General Public License for more details.
|
|
|
|
|
|
|
|
|
|
# You should have received a copy of the GNU Lesser General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2017-02-13 22:14:40 +00:00
|
|
|
|
2017-02-22 21:47:12 +00:00
|
|
|
import sigma
|
2017-02-13 22:14:40 +00:00
|
|
|
|
2018-07-10 21:42:38 +00:00
|
|
|
### Mixins
|
2017-10-18 17:03:38 +00:00
|
|
|
class QuoteCharMixin:
|
|
|
|
|
"""
|
|
|
|
|
This class adds the cleanValue method that quotes and filters characters according to the configuration in
|
|
|
|
|
the attributes provided by the mixin.
|
|
|
|
|
"""
|
|
|
|
|
reEscape = None # match characters that must be quoted
|
|
|
|
|
escapeSubst = "\\\\\g<1>" # Substitution that is applied to characters/strings matched for escaping by reEscape
|
|
|
|
|
reClear = None # match characters that are cleaned out completely
|
|
|
|
|
|
|
|
|
|
def cleanValue(self, val):
|
|
|
|
|
if self.reEscape:
|
|
|
|
|
val = self.reEscape.sub(self.escapeSubst, val)
|
|
|
|
|
if self.reClear:
|
|
|
|
|
val = self.reClear.sub("", val)
|
|
|
|
|
return val
|
|
|
|
|
|
2018-01-27 22:48:10 +00:00
|
|
|
class RulenameCommentMixin:
|
|
|
|
|
"""Prefixes each rule with the rule title."""
|
|
|
|
|
prefix = "# "
|
2018-03-21 00:13:10 +00:00
|
|
|
options = (
|
|
|
|
|
("rulecomment", False, "Prefix generated query with comment containing title", None),
|
|
|
|
|
)
|
2018-01-27 22:48:10 +00:00
|
|
|
|
|
|
|
|
def generateBefore(self, parsed):
|
2018-03-21 00:13:10 +00:00
|
|
|
if self.rulecomment:
|
2018-01-27 22:48:10 +00:00
|
|
|
try:
|
2018-05-13 20:36:51 +00:00
|
|
|
return "%s%s\n" % (self.prefix, parsed.sigmaParser.parsedyaml['title'])
|
2018-01-27 22:48:10 +00:00
|
|
|
except KeyError:
|
|
|
|
|
return ""
|
|
|
|
|
|
2018-05-13 20:36:51 +00:00
|
|
|
def generateAfter(self, parsed):
|
|
|
|
|
if self.rulecomment:
|
|
|
|
|
return "\n"
|
|
|
|
|
|
2017-09-29 23:03:08 +00:00
|
|
|
class MultiRuleOutputMixin:
|
|
|
|
|
"""Mixin with common for multi-rule outputs"""
|
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
|
|
|
super().__init__(*args, **kwargs)
|
|
|
|
|
self.rulenames = set()
|
|
|
|
|
|
|
|
|
|
def getRuleName(self, sigmaparser):
|
|
|
|
|
"""
|
|
|
|
|
Generate a rule name from the title of the Sigma rule with following properties:
|
|
|
|
|
|
|
|
|
|
* Spaces are replaced with -
|
|
|
|
|
* Unique name by addition of a counter if generated name already in usage
|
|
|
|
|
|
|
|
|
|
Generated names are tracked by the Mixin.
|
2018-04-06 15:36:11 +00:00
|
|
|
|
2017-09-29 23:03:08 +00:00
|
|
|
"""
|
2018-03-16 23:44:50 +00:00
|
|
|
rulename = sigmaparser.parsedyaml["title"].replace(" ", "-").replace("(", "").replace(")", "")
|
2017-09-29 23:03:08 +00:00
|
|
|
if rulename in self.rulenames: # add counter if name collides
|
|
|
|
|
cnt = 2
|
|
|
|
|
while "%s-%d" % (rulename, cnt) in self.rulenames:
|
|
|
|
|
cnt += 1
|
|
|
|
|
rulename = "%s-%d" % (rulename, cnt)
|
|
|
|
|
self.rulenames.add(rulename)
|
|
|
|
|
|
|
|
|
|
return rulename
|
