valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

QRadar backend: add support for re type modifiers

Browse Source
This commit is contained in:
svent 2019-09-01 21:21:50 +02:00
parent 03d45d57de
commit 467c8f694c
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
tools/sigma/backends/qradar.py
View File

@ -17,6 +17,8 @@
import re
import sigma
from sigma.parser.modifiers.base import SigmaTypeModifier
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
from .base import SingleTextQueryBackend
from .mixins import MultiRuleOutputMixin
@ -85,6 +87,8 @@ class QRadarBackend(SingleTextQueryBackend):
return self.mapExpression % (self.cleanKey(key), self.generateNode(value))
elif type(value) == list:
return self.generateMapItemListNode(key, value)
elif isinstance(value, SigmaTypeModifier):
return self.generateMapItemTypedNode(key, value)
elif value is None:
return self.nullExpression % (key, )
else:
@ -100,6 +104,19 @@ class QRadarBackend(SingleTextQueryBackend):
itemslist.append('%s = %s' % (self.cleanKey(key), self.generateValueNode(item, True)))
return '('+" or ".join(itemslist)+')'
def generateMapItemTypedNode(self, fieldname, value):
if type(value) == SigmaRegularExpressionModifier:
regex = str(value)
# Regular Expressions have to match the full value in QRadar
if len(regex) > 0:
if regex[0] != '^':
regex = '.*' + regex
if regex[-1] != '$':
regex = regex + '.*'
return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True))
else:
raise NotImplementedError("Type modifier '{}' is not supported by backend".format(node.identifier))
def generateValueNode(self, node, keypresent):
if keypresent == False:
return "UTF8(payload) ilike \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%")