valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

sigmac: Parameter for ignoring "not supported" errors

Browse Source 
Used to pass tests with complete rule set that would fail for backends
which target systems don't support required features.
This commit is contained in:
Thomas Patzke 2018-06-22 00:22:45 +02:00
parent 31727b3b25
commit d8e036f737
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -21,7 +21,7 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdIS -t wdatp rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null

9
tools/sigmac
View File

@ -82,7 +82,8 @@ argparser.add_argument("--config", "-c", help="Configuration with field name and
argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated (not yet implemented)")
argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
argparser.add_argument("--ignore-not-implemented", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules with not implemented features")
argparser.add_argument("--ignore-not-implemented", "-I", action="store_true", help="Ignore errors for rules with not implemented features")
argparser.add_argument("--ignore-not-supported", "-S", action="store_true", help="Ignore errors for rules which require features that are not supported by the target system")
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
argparser.add_argument("inputs", nargs="*", help="Sigma input files")
@ -153,6 +154,12 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
error = 4
if not cmdargs.defer_abort:
sys.exit(error)
except backends.NotSupportedError as e:
print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr)
if not cmdargs.ignore_not_supported:
error = 9
if not cmdargs.defer_abort:
sys.exit(error)
except backends.BackendError as e:
print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
error = 8