valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #369 from TareqAlKhatib/refactors

Browse Source 
Refactors
This commit is contained in:
Thomas Patzke 2019-06-19 23:16:19 +02:00 committed by GitHub
commit d82df83ef1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/apt/apt_ta17_293a_ps.yml
View File

@ -1,5 +1,5 @@
title: Ps.exe Renamed SysInternals Tool
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
references:
- https://www.us-cert.gov/ncas/alerts/TA17-293A
tags:

2
rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
View File

@ -2,7 +2,7 @@
action: global
title: Usage of Sysinternals Tools
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28

20
tools/sigmac
View File

@ -35,8 +35,6 @@ import codecs
sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
logger = logging.getLogger(__name__)
# Error codes
ERR_OUTPUT = 1
@ -57,14 +55,6 @@ ERR_NOT_IMPLEMENTED = 42
ERR_PARTIAL_FIELD_MATCH = 80
ERR_FULL_FIELD_MATCH = 90
def print_verbose(*args, **kwargs):
if cmdargs.verbose or cmdargs.debug:
print(*args, **kwargs)
def print_debug(*args, **kwargs): # pragme: no cover
if cmdargs.debug:
print(*args, **kwargs)
def alliter(path):
for sub in path.iterdir():
if sub.name.startswith("."):
@ -95,6 +85,9 @@ class SigmacArgumentParser(argparse.ArgumentParser):
return helptext
def set_argparser():
"""Sets up and parses the command line arguments for Sigmac.
Returns the argparser"""
argparser = SigmacArgumentParser(description="Convert Sigma rules into SIEM signatures.")
argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
argparser.add_argument("--filter", "-f", help="""
@ -118,10 +111,15 @@ argparser.add_argument("--shoot-yourself-in-the-foot", action="store_true", help
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
return argparser
argparser = set_argparser()
cmdargs = argparser.parse_args()
scm = SigmaConfigurationManager()
logger = logging.getLogger(__name__)
if cmdargs.debug: # pragma: no cover
logger.setLevel(logging.DEBUG)
@ -210,7 +208,7 @@ else:
error = 0
for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
print_verbose("* Processing Sigma input %s" % (sigmafile))
logger.debug("* Processing Sigma input %s" % (sigmafile))
try:
if cmdargs.inputs == ['-']:
f = sigmafile