97 Commits

Author	SHA1	Message	Date
frack113	e098cdf3a1	fix url ref	2021-08-10 11:07:28 +02:00
frack113	ce17f8e9e2	add test_selection_list_one_value warning only	2021-08-10 10:21:22 +02:00
Florian Roth	9b7be5985e	Merge pull request #1773 from phantinuss/master ... Two CobaltStrike BOF rules and a little fix on the local rule test script usage text	2021-08-05 15:42:47 +02:00
Florian Roth	917b95d8ff	fix: bash script bug	2021-07-30 08:51:38 +02:00
Florian Roth	5947dddcd2	feat: print the faulty rule as an error into cmdline	2021-07-30 08:24:06 +02:00
Florian Roth	7c78f40372	Merge pull request #1744 from gliptak/patch-3 ... Add yamllint to GHA	2021-07-28 16:24:33 +02:00
phantinuss	2866a1dbdc	fix: change howto to match current state of code	2021-07-28 15:13:55 +02:00
frack113	6b076d4360	Add test_optional_author	2021-07-27 19:14:00 +02:00
Gábor Lipták	d2592ee0b6	Add yamllint to GHA ... Signed-off-by: Gábor Lipták <gliptak@gmail.com>	2021-07-26 21:26:16 -04:00
frack113	ffcd3a2112	Add test_optional_related test_optional_fields test_optional_falsepositives	2021-07-24 09:41:04 +02:00
frack113	aff5264096	Add check for status and level	2021-07-22 19:25:51 +02:00
frack113	fe20158f5e	Update date and modified test	2021-07-21 18:28:47 +02:00
frack113	50c47a4ed0	check duplicate id	2021-07-17 10:32:29 +02:00
Florian Roth	02bf32ce6c	fixed more legal issues	2021-05-15 13:09:08 +02:00
Florian Roth	526ab4f707	feat: trademark test case	2021-05-15 13:02:49 +02:00
jaegeral	e1f43f17c2	fixed various spelling errors all over rules and source code	2021-02-24 14:43:13 +00:00
mat	b3e36281b5	fix reference field + add test for references in plural form	2020-11-27 10:17:45 +01:00
Florian Roth	d3ee1aba66	docs: MITRE ATT&CK(R) trademark references removed or adjusted ... https://github.com/Neo23x0/sigma/issues/1028	2020-09-30 08:53:52 +02:00
Florian Roth	8970d03f6f	Merge pull request #952 from Neo23x0/devel ... feat: Detect duplicate rule tags	2020-07-28 10:21:59 +02:00
Florian Roth	051e2ce905	feat: detect duplicate tags	2020-07-27 11:37:58 +02:00
Ryan Plas	de53a08746	Merge branch 'master' of github.com:Neo23x0/sigma	2020-07-15 10:27:33 -04:00
Florian Roth	71e66ea9ba	refactor: tests use live data from MITRE's TAXI service	2020-07-14 17:54:02 +02:00
Florian Roth	cf25b9c509	feat: filename test	2020-07-14 12:33:16 +02:00
Florian Roth	495376df77	refactor: references test without warnings for missing refs	2020-07-14 12:33:02 +02:00
Florian Roth	bae979f5c7	refactor: ignore sub techniques as long as we do not have a complete list	2020-07-14 11:56:28 +02:00
Ryan Plas	9eb5d8da4d	Add logsource attribute rule test	2020-07-13 17:02:28 -04:00
Florian Roth	b3e15eea68	fix: nested check	2020-07-13 18:49:00 +02:00
Florian Roth	91c0bea570	fix: typo and reordered	2020-07-13 18:22:47 +02:00
Florian Roth	758f5039b5	fix: no error on rules without references	2020-07-13 18:16:32 +02:00
Florian Roth	8d91659c2a	fix: typo in field value	2020-07-13 18:08:00 +02:00
Florian Roth	4c610ec693	feat: test references is list	2020-07-13 18:07:19 +02:00
Florian Roth	87ce5e5745	fix: missing MITRE ATT&CK IDs in test	2020-07-13 16:02:22 +02:00
Florian Roth	ab40cdbbd7	fix: missing ATT&CK id	2020-07-01 09:57:35 +02:00
Florian Roth	912ad94771	fix: missing ATT&CK id in tests	2020-06-19 10:00:44 +02:00
Ivan Kirillov	69760f6446	Added subtechniques to MITRE_TECHNIQUES	2020-06-17 11:51:48 -06:00
ecco	327a53c120	add new test for sysmon rules without eventid	2020-05-23 10:25:37 -04:00
ecco	2b89e56054	fix test	2020-05-23 10:03:13 -04:00
Florian Roth	030898ba9c	Merge branch 'master' into override-coverage	2020-05-02 14:22:03 +02:00
Maxime Thiebaut	4600bf73dc	Update rules to follow the Sigma state specification ... The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following: > Declares the status of the rule: > - stable: the rule is considered as stable and may be used in production systems or dashboards. > - test: an almost stable rule that possibly could require some fine tuning. > - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events. However the Sigma Rx YAML specification states the following: > ```yaml > status: > type: //any > of: > - type: //str > value: stable > - type: //str > value: testing > - type: //str > value: experimental > ``` The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base: - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49)) - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26)) - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98)) Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.	2020-04-24 20:50:31 +02:00
Thomas Patzke	d33f4b290d	Dependency cleanup ... * Consolidated dependencies into main and development (MISP and test intergrated). * Splitted Pipfile dependencies into main and development * Specified compatible dependencies	2020-03-29 22:55:09 +02:00
Florian Roth	0e1ff440db	fix: updated MITRE tags in test	2020-03-25 14:04:22 +01:00
Thomas Patzke	373424f145	Rule fixes ... Made tests pass the new CI tests. Added further allowed lower case words in rule test.	2020-02-20 23:00:16 +01:00
Thomas Patzke	d7bd90cb24	Merge branch 'master' into oscd	2020-02-03 23:13:16 +01:00
Thomas Patzke	815c562a17	Merge branch 'master' into oscd	2020-02-02 13:40:08 +01:00
Florian Roth	9876623710	doc: helpful link in error message	2020-02-01 15:43:11 +01:00
Florian Roth	1735614747	feat: rule title tests	2020-01-30 17:26:21 +01:00
Florian Roth	43af93a678	feat: detect missing date	2020-01-30 16:08:34 +01:00
Florian Roth	14e7b17eb9	feat: detect missing id	2020-01-30 16:08:24 +01:00
Florian Roth	93e1299010	style: PEP8 in test_rules.py	2020-01-30 16:08:10 +01:00
Florian Roth	f84b3abf2d	fix: missing commas in list	2020-01-30 08:56:13 +01:00