Merge pull request #1923 from frack113/fix_invalid_tags

Check invalid tags
2024-11-06 17:35:19 +00:00 · 2021-08-25 10:26:43 +02:00 · 2021-08-25 10:26:43 +02:00 · f277ecbbeb
commit f277ecbbeb
parent a6767255c0 a4021842de
11 changed files with 148 additions and 148 deletions
--- a/rules/compliance/cleartext_protocols.yml
+++ b/rules/compliance/cleartext_protocols.yml
@ -13,49 +13,49 @@ references:
 falsepositives:
    - unknown
 level: low
-tags:
-    - CSC4
-    - CSC4.5
-    - CSC14
-    - CSC14.4
-    - CSC16
-    - CSC16.5
-    - NIST CSF 1.1 PR.AT-2
-    - NIST CSF 1.1 PR.MA-2
-    - NIST CSF 1.1 PR.PT-3
-    - NIST CSF 1.1 PR.AC-1
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AC-5
-    - NIST CSF 1.1 PR.AC-6
-    - NIST CSF 1.1 PR.AC-7
-    - NIST CSF 1.1 PR.DS-1
-    - NIST CSF 1.1 PR.DS-2
-    - ISO 27002-2013 A.9.2.1
-    - ISO 27002-2013 A.9.2.2
-    - ISO 27002-2013 A.9.2.3
-    - ISO 27002-2013 A.9.2.4
-    - ISO 27002-2013 A.9.2.5
-    - ISO 27002-2013 A.9.2.6
-    - ISO 27002-2013 A.9.3.1
-    - ISO 27002-2013 A.9.4.1
-    - ISO 27002-2013 A.9.4.2
-    - ISO 27002-2013 A.9.4.3
-    - ISO 27002-2013 A.9.4.4
-    - ISO 27002-2013 A.8.3.1
-    - ISO 27002-2013 A.9.1.1
-    - ISO 27002-2013 A.10.1.1
-    - PCI DSS 3.2 2.1
-    - PCI DSS 3.2 8.1
-    - PCI DSS 3.2 8.2
-    - PCI DSS 3.2 8.3
-    - PCI DSS 3.2 8.7
-    - PCI DSS 3.2 8.8
-    - PCI DSS 3.2 1.3
-    - PCI DSS 3.2 1.4
-    - PCI DSS 3.2 4.3
-    - PCI DSS 3.2 7.1
-    - PCI DSS 3.2 7.2
-    - PCI DSS 3.2 7.3
+# tags:
+    # - CSC4
+    # - CSC4.5
+    # - CSC14
+    # - CSC14.4
+    # - CSC16
+    # - CSC16.5
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - NIST CSF 1.1 PR.AC-1
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AC-5
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 PR.DS-1
+    # - NIST CSF 1.1 PR.DS-2
+    # - ISO 27002-2013 A.9.2.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - ISO 27002-2013 A.8.3.1
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.10.1.1
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
+    # - PCI DSS 3.2 8.8
+    # - PCI DSS 3.2 1.3
+    # - PCI DSS 3.2 1.4
+    # - PCI DSS 3.2 4.3
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
 ---
 logsource:
    product: netflow
--- a/rules/compliance/default_credentials_usage.yml
+++ b/rules/compliance/default_credentials_usage.yml
@ -81,29 +81,29 @@ detection:
 falsepositives:
    - unknown
 level: medium
-tags:
-    - CSC4
-    - CSC4.2
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AT-2
-    - NIST CSF 1.1 PR.MA-2
-    - NIST CSF 1.1 PR.PT-3
-    - ISO 27002-2013 A.9.1.1
-    - ISO 27002-2013 A.9.2.2
-    - ISO 27002-2013 A.9.2.3
-    - ISO 27002-2013 A.9.2.4
-    - ISO 27002-2013 A.9.2.5
-    - ISO 27002-2013 A.9.2.6
-    - ISO 27002-2013 A.9.3.1
-    - ISO 27002-2013 A.9.4.1
-    - ISO 27002-2013 A.9.4.2
-    - ISO 27002-2013 A.9.4.3
-    - ISO 27002-2013 A.9.4.4
-    - PCI DSS 3.2 2.1
-    - PCI DSS 3.2 7.1
-    - PCI DSS 3.2 7.2
-    - PCI DSS 3.2 7.3
-    - PCI DSS 3.2 8.1
-    - PCI DSS 3.2 8.2
-    - PCI DSS 3.2 8.3
-    - PCI DSS 3.2 8.7
+# tags:
+    # - CSC4
+    # - CSC4.2
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
--- a/rules/compliance/group_modification_logging.yml
+++ b/rules/compliance/group_modification_logging.yml
@ -33,29 +33,29 @@ detection:
 falsepositives:
    - unknown
 level: low
-tags:
-    - CSC4
-    - CSC4.8
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AT-2
-    - NIST CSF 1.1 PR.MA-2
-    - NIST CSF 1.1 PR.PT-3
-    - ISO 27002-2013 A.9.1.1
-    - ISO 27002-2013 A.9.2.2
-    - ISO 27002-2013 A.9.2.3
-    - ISO 27002-2013 A.9.2.4
-    - ISO 27002-2013 A.9.2.5
-    - ISO 27002-2013 A.9.2.6
-    - ISO 27002-2013 A.9.3.1
-    - ISO 27002-2013 A.9.4.1
-    - ISO 27002-2013 A.9.4.2
-    - ISO 27002-2013 A.9.4.3
-    - ISO 27002-2013 A.9.4.4
-    - PCI DSS 3.2 2.1
-    - PCI DSS 3.2 7.1
-    - PCI DSS 3.2 7.2
-    - PCI DSS 3.2 7.3
-    - PCI DSS 3.2 8.1
-    - PCI DSS 3.2 8.2
-    - PCI DSS 3.2 8.3
-    - PCI DSS 3.2 8.7
+# tags:
+    # - CSC4
+    # - CSC4.8
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
--- a/rules/compliance/host_without_firewall.yml
+++ b/rules/compliance/host_without_firewall.yml
@ -17,15 +17,15 @@ detection:
        host.scan.vuln_name: Firewall Product Not Detected*
    condition: selection
 level: low
-tags:
-    - CSC9
-    - CSC9.4
-    - NIST CSF 1.1 PR.AC-5
-    - NIST CSF 1.1 PR.AC-6
-    - NIST CSF 1.1 PR.AC-7
-    - NIST CSF 1.1 DE.AE-1
-    - ISO 27002-2013 A.9.1.2
-    - ISO 27002-2013 A.13.2.1
-    - ISO 27002-2013 A.13.2.2
-    - ISO 27002-2013 A.14.1.2
-    - PCI DSS 3.2 1.4
+# tags:
+    # - CSC9
+    # - CSC9.4
+    # - NIST CSF 1.1 PR.AC-5
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 DE.AE-1
+    # - ISO 27002-2013 A.9.1.2
+    # - ISO 27002-2013 A.13.2.1
+    # - ISO 27002-2013 A.13.2.2
+    # - ISO 27002-2013 A.14.1.2
+    # - PCI DSS 3.2 1.4
--- a/rules/compliance/workstation_was_locked.yml
+++ b/rules/compliance/workstation_was_locked.yml
@ -21,27 +21,27 @@ detection:
 falsepositives:
    - unknown
 level: low
-tags:
-    - CSC16
-    - CSC16.11
-    - ISO27002-2013 A.9.1.1
-    - ISO27002-2013 A.9.2.1
-    - ISO27002-2013 A.9.2.2
-    - ISO27002-2013 A.9.2.3
-    - ISO27002-2013 A.9.2.4
-    - ISO27002-2013 A.9.2.5
-    - ISO27002-2013 A.9.2.6
-    - ISO27002-2013 A.9.3.1
-    - ISO27002-2013 A.9.4.1
-    - ISO27002-2013 A.9.4.3
-    - ISO27002-2013 A.11.2.8
-    - PCI DSS 3.1 7.1
-    - PCI DSS 3.1 7.2
-    - PCI DSS 3.1 7.3
-    - PCI DSS 3.1 8.7
-    - PCI DSS 3.1 8.8
-    - NIST CSF 1.1 PR.AC-1
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AC-6
-    - NIST CSF 1.1 PR.AC-7
-    - NIST CSF 1.1 PR.PT-3
+# tags:
+    # - CSC16
+    # - CSC16.11
+    # - ISO27002-2013 A.9.1.1
+    # - ISO27002-2013 A.9.2.1
+    # - ISO27002-2013 A.9.2.2
+    # - ISO27002-2013 A.9.2.3
+    # - ISO27002-2013 A.9.2.4
+    # - ISO27002-2013 A.9.2.5
+    # - ISO27002-2013 A.9.2.6
+    # - ISO27002-2013 A.9.3.1
+    # - ISO27002-2013 A.9.4.1
+    # - ISO27002-2013 A.9.4.3
+    # - ISO27002-2013 A.11.2.8
+    # - PCI DSS 3.1 7.1
+    # - PCI DSS 3.1 7.2
+    # - PCI DSS 3.1 7.3
+    # - PCI DSS 3.1 8.7
+    # - PCI DSS 3.1 8.8
+    # - NIST CSF 1.1 PR.AC-1
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 PR.PT-3
--- a/rules/windows/process_creation/win_apt_unc2452_cmds.yml
+++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml
@ -7,8 +7,8 @@ references:
 tags:
    - attack.execution
    - attack.t1059.001
-    - sunburst
-    - unc2452
+    # - sunburst
+    # - unc2452
 author: Florian Roth
 date: 2021/01/22
 modified: 2021/06/27
--- a/rules/windows/process_creation/win_apt_unc2452_ps.yml
+++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml
@ -9,7 +9,7 @@ tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1047
-    - sunburst
+    # - sunburst
 author: Florian Roth
 date: 2021/01/20
 modified: 2021/01/22
--- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
+++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
@ -13,7 +13,7 @@ logsource:
 tags:
    - attack.persistence
    - attack.t1136.001
-    - threat_group.DEV-0322
+    # - threat_group.DEV-0322
 detection:
    selection1:
        CommandLine|contains: 'whoami'
--- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@ -28,7 +28,7 @@ tags:
    - attack.persistence
    - attack.t1060 # an old one
    - attack.t1547.001
-    - capec.270
+    # - capec.270
 fields:
    - Image
    - ParentImage
--- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
@ -15,7 +15,7 @@ tags:
    - attack.credential_access
    - attack.t1566
    - attack.t1203
-    - threat_group.Sourgum
+    # - threat_group.Sourgum
 falsepositives:
    - Unlikely
 level: critical
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@ -79,17 +79,17 @@ class TestRules(unittest.TestCase):
        for file in self.yield_next_rule_file_path(self.path_to_rules):
            tags = self.get_rule_part(file_path=file, part_name="tags")
            if tags:
-            	for tag in tags:
-                   if tag.startswith("attack."):
-                       continue
-                   elif tag.startswith("car."):
-                       continue
-                   elif tag.startswith("cve."):
-                       print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag))
-                       files_with_incorrect_tags.append(file)
-                   else:
-                       print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag))
-                      # files_with_incorrect_tags.append(file)
+                for tag in tags:
+                    if tag.startswith("attack."):
+                        continue
+                    elif tag.startswith("car."):
+                        continue
+                    elif tag.startswith("cve."):
+                        print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag))
+                        files_with_incorrect_tags.append(file)
+                    else:
+                        print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag))
+                        files_with_incorrect_tags.append(file)

        self.assertEqual(files_with_incorrect_tags, [], Fore.RED + 
                         "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ")