valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,568 Commits 20 Branches 25 Tags 21 MiB
4aae3a6aa5
Commit Graph

65 Commits

Author SHA1 Message Date
Florian Roth
ab40cdbbd7 fix: missing ATT&CK id 2020-07-01 09:57:35 +02:00
Florian Roth
912ad94771 fix: missing ATT&CK id in tests 2020-06-19 10:00:44 +02:00
Ivan Kirillov
69760f6446 Added subtechniques to MITRE_TECHNIQUES 2020-06-17 11:51:48 -06:00
ecco
327a53c120 add new test for sysmon rules without eventid 2020-05-23 10:25:37 -04:00
ecco
2b89e56054 fix test 2020-05-23 10:03:13 -04:00
Florian Roth
030898ba9c
Merge branch 'master' into override-coverage 2020-05-02 14:22:03 +02:00
Maxime Thiebaut
4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49))
 - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26))
 - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98))

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00
Thomas Patzke
d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Florian Roth
0e1ff440db fix: updated MITRE tags in test 2020-03-25 14:04:22 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Florian Roth
9876623710 doc: helpful link in error message 2020-02-01 15:43:11 +01:00
Florian Roth
1735614747 feat: rule title tests 2020-01-30 17:26:21 +01:00
Florian Roth
43af93a678 feat: detect missing date 2020-01-30 16:08:34 +01:00
Florian Roth
14e7b17eb9 feat: detect missing id 2020-01-30 16:08:24 +01:00
Florian Roth
93e1299010 style: PEP8 in test_rules.py 2020-01-30 16:08:10 +01:00
Florian Roth
f84b3abf2d fix: missing commas in list 2020-01-30 08:56:13 +01:00
Florian Roth
aa5ce18abc feat: support of new MITRE ATT&CK tags 2020-01-30 08:55:44 +01:00
Florian Roth
7bf472834b feat: colorized error messages 2020-01-30 08:50:22 +01:00
Florian Roth
9d96b7c1a3 fix: print_error function not global 2020-01-30 08:39:58 +01:00
Florian Roth
fe6c30fa59 feat: colorized output in test 2020-01-30 08:37:47 +01:00
Florian Roth
5e59bbb3c3
Added MITRE ATT&CK Technique T1482 
https://attack.mitre.org/techniques/T1482/
 2019-12-28 16:02:26 +01:00
Thomas Patzke
694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Thomas Patzke
397b3b8cc6 Updated rule test MITRE ATT&CK identifiers 2019-12-17 01:13:06 +01:00
Thomas Patzke
ee4138c48e
Merge pull request #526 from zouzias/hotfix_aggregate_count_distinct_groupby 
[feature] extend es-dsl to support nested aggregations
 2019-12-13 21:55:47 +01:00
Florian Roth
2cf6e16024 fix: missing new MITRE tactics category in tests 2019-11-14 23:31:38 +01:00
Anastasios Zouzias
324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke
238adf9eea Improved rule test 
* Added ATT&CK technique
* Removed invalid tags
 2019-11-08 22:03:19 +01:00
Thomas Patzke
ef14ee542d Added modifiers: startswith and endswith 2019-11-05 23:04:13 +01:00
Hilko Bengen
d759896e07 Make coverage binary overridable 
This makes it possible to pass a different coverage program to make
test, e.g.:

    make test COVERAGE=python3-coverage
 2019-10-23 15:42:25 +02:00
Thomas Patzke
fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Thomas Patzke
c80cb418cd Improved QRadar regular expression support 2019-09-05 15:35:26 +02:00
Thomas Patzke
59a6a0c523 Added ATT&CK technique to rule test 2019-08-25 10:13:11 +02:00
Thomas Patzke
a65a9655f4 Fixed config naming in es-qs query backend test 2019-08-02 08:25:21 +02:00
Thomas Patzke
0ca15e5c5e Added test case for value modifiers 2019-07-16 23:14:55 +02:00
Thomas Patzke
4559aa4e00 Fixed es-qs backend check 2019-04-23 00:05:36 +02:00
Thomas Patzke
87abd20c0f Removed deprecated PyYAML API from rule test 2019-04-22 23:21:08 +02:00
Florian Roth
d0950bd077 fix: yaml.load() issue 
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
 2019-04-21 20:30:31 +02:00
Thomas Patzke
5e973a6321 Fixes and CI testing of --backend-config 2019-03-15 23:46:38 +01:00
Tareq AlKhatib
7f4557d183 Enabled check for process_creation 2019-03-09 21:00:11 +03:00
Tareq AlKhatib
c3b079990a Properly end anchored the regex 2019-03-09 19:23:50 +03:00
Tareq AlKhatib
be2ca8dc4d Added checks for Sysmon 1 or EID 4688 instead of process_creation 2019-03-02 20:51:49 +03:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Tareq AlKhatib
ae62acf3d2 Added a test for duplicate filters and a test for Source: Eventlog 2019-02-18 21:05:58 +03:00
Tareq AlKhatib
97b28f4308 Added a test for unnecessary use of '1 of them' in condition 2019-02-13 21:27:27 +03:00
Tareq AlKhatib
cd2af196e3 Corrected path to rules 2019-01-25 12:25:51 +03:00
Tareq AlKhatib
96220e776f Added a test to check for duplicate filters in rules 2019-01-25 12:22:28 +03:00
Thomas Patzke
3c7f46a6cd Added rule test to CI testing 2019-01-23 23:31:36 +01:00
Tareq AlKhatib
e3d61047bb Added two tests. One for MITRE and another for file extension. 2019-01-22 21:25:13 +03:00