valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,332 Commits 20 Branches 25 Tags 21 MiB
9ef314486e
Commit Graph

1332 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Thomas Patzke
eacfaa7460 Check for forbidden null values in list items in Splunk backend 2018-10-27 01:07:03 +02:00
Thomas Patzke
423a73efd5 Dropped .py suffix 2018-10-22 23:02:05 +02:00
Thomas Patzke
1b1f22c5c2 Added sigma2misp to README 2018-10-22 23:02:05 +02:00
Thomas Patzke
b2d6d73034 Added requirements 2018-10-22 22:43:59 +02:00
Thomas Patzke
16e3838a90 Renamed script 2018-10-19 21:23:33 +02:00
Thomas Patzke
6b14930302 Recursive path traversal 2018-10-19 21:21:33 +02:00
Thomas Patzke
67b416379f Improved import of multiple rules 2018-10-19 19:53:00 +02:00
Thomas Patzke
60b6f5d50a Merge branch 'samsson-patch-9' 2018-10-18 16:21:11 +02:00
Thomas Patzke
ff98991c80 Fixed rule 2018-10-18 16:20:51 +02:00
Thomas Patzke
a2da73053d Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9 2018-10-18 16:16:57 +02:00
Thomas Patzke
96d6d520b7 Merge branch 'pivotforensics-master' 2018-10-18 16:14:53 +02:00
Thomas Patzke
0fd8b986fd Added CI tests 2018-10-18 16:14:16 +02:00
Thomas Patzke
0cc8b77307 Merge branch 'master' of https://github.com/pivotforensics/sigma into pivotforensics-master 2018-10-18 15:56:26 +02:00
Thomas Patzke
732de3458f
Merge pull request #186 from megan201296/patch-15 
Update sysmon_cmstp_com_object_access.yml
 2018-10-18 15:49:06 +02:00
Thomas Patzke
fdd0823e07
Merge pull request #187 from megan201296/patch-16 
Additional MITRE ATT&CK Tagging
 2018-10-18 15:38:11 +02:00
Thomas Patzke
60765d903a Merge branch 'ntim-master' 2018-10-18 15:34:34 +02:00
Thomas Patzke
5609728a8a included XPack Watcher JSON output in CI tests 2018-10-18 14:56:21 +02:00
ntim
e501c4a5b9 Added additional output type 'json' to the xpack-watcher backend which prints each watcher as compress json, one watcher per line 2018-10-17 10:38:56 +02:00
Michael H
5b33713ef8 Quick fix for string formatting bug 2018-10-13 20:21:37 -05:00
Michael H
38ec257f7e Re-doing LogName formatting 2018-10-13 20:18:57 -05:00
Michael H
9f48265eb1 Adding re.sub for LogName that accounts for expression grouping 2018-10-13 20:09:54 -05:00
Michael H
7e184f01c6 Removing invalid fieldmapping 2018-10-13 19:53:39 -05:00
Michael H
ab2ebae6b0 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-10-13 19:41:18 -05:00
Florian Roth
3c3b14a26b rule: new malware UA 2018-10-10 15:27:58 +02:00
Florian Roth
fd34437575 fix: fixed date in rule 2018-10-10 15:27:58 +02:00
megan201296
fdd264d946
Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml 
Edit tule logic for `and` instead of `or
 2018-10-09 19:03:30 -05:00
Florian Roth
182781229c
Merge pull request #184 from megan201296/patch-14 
Remove duplicate value
 2018-10-09 09:37:54 +02:00
megan201296
7997cb3001
Remove duplicate value 2018-10-08 13:00:59 -05:00
Michael H
bbb67fbba4 Adding support for reading sigma rule from stdin in sigmac 2018-10-07 10:11:47 -05:00
Michael H
aabaa0257b Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-10-06 20:12:15 -05:00
Michael H
4b85a34b34 Added CSV option to powershell backend 2018-10-06 20:08:20 -05:00
Florian Roth
54678fcb36 Rule: CertUtil UA 
https://twitter.com/ItsReallyNick/status/1047151134501216258
 2018-10-06 16:47:37 +02:00
Thomas Patzke
4eeb07a736
Merge pull request #181 from droe/optimizer-comments 
Improve the comments on the optimizer
 2018-10-03 23:11:10 +02:00
Daniel Roethlisberger
fc45df144c Improve the comments on the optimizer 2018-10-03 13:44:03 +02:00
Thomas Patzke
143f8644c6
Merge pull request #180 from droe/refactor-optimizer 
Move optimizer to sigma.parser.condition to enable it for all backends
 2018-10-03 00:34:14 +02:00
Daniel Roethlisberger
87aa1b5521 Move optimizer to sigma.parser.condition to enable it for all backends 2018-10-03 00:24:31 +02:00
Thomas Patzke
2ac19d32a1
Merge pull request #178 from droe/ast_optimizer 
Optimize the boolean expressions in the AST before generating output
 2018-10-02 23:06:55 +02:00
Daniel Roethlisberger
cd3661b60c Fix optimization of NOT corner cases 2018-10-02 22:48:33 +02:00
Thomas Patzke
14c5dcf413
Merge pull request #179 from droe/tempfile-mktemp 
Use mktemp if tempfile is not available, fixes `make` for macOS
 2018-10-02 22:44:48 +02:00
Daniel Roethlisberger
85ad10d558 Use mktemp if tempfile is not available, fixes make for macOS 2018-10-02 22:17:03 +02:00
Daniel Roethlisberger
bed88cf813 Make uniq work for lists within definitions 2018-10-02 22:12:54 +02:00
Daniel Roethlisberger
7165128fa5 Remove None from AST - fixes None-related test failures 2018-10-02 21:44:37 +02:00
Daniel Roethlisberger
2242fc5ac8 Optimize the boolean expressions in the AST before generating output 
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.

The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance.  This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.

The following optimizations are currently performed:

-   Removal of empty OR(), AND()
-   OR(X), AND(X)                 =>  X
-   OR(X, X, ...), AND(X, X, ...) =>  OR(X, ...), AND(X, ...)
-   OR(X, OR(Y))                  =>  OR(X, Y)
-   OR(AND(X, ...), AND(X, ...))  =>  AND(X, OR(AND(...), AND(...)))
-   NOT(NOT(X))                   =>  X

A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.

This implementation is not optimized for performance and will perform
poorly on very large expressions.
 2018-10-02 21:14:25 +02:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00