valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5019f2f160
SigmaHQ/tools/sigma/backends/logiq.py
Thomas Patzke 1c5c8047fd Fixes 
* Removed commented debug print statements
* Defined nullExpression
* Removed unneeded generateMapItemNode method
* Value cleaning bug on matching of wildcard at first character
2020-04-08 23:43:46 +02:00

62 lines
2.0 KiB
Python
Raw Blame History

import re
from .base import SingleTextQueryBackend
import json
class LogiqBackend(SingleTextQueryBackend):
"""Converts Sigma rule into LOGIQ event rule api payload """
identifier = "logiq"
config_required = False
active = True
reEscape = re.compile('(")')
reClear = None
andToken = " && "
orToken = " || "
notToken = " !~ "
subExpression = "%s"
listExpression = "%s"
listSeparator = ", "
valueExpression = "message =~ \'%s\'"
keyExpression = "%s"
nullExpression = "!~ %s"
notNullExpression = "!%s"
mapExpression = "(%s=%s)"
mapListsSpecialHandling = True
reEscape = re.compile("([\\|()\[\]{}.^$+])")
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
eventRule = dict()
eventRule["name"] = sigmaparser.parsedyaml["title"]
eventRule["groupName"] = sigmaparser.parsedyaml["logsource"].get("product", "")
eventRule["description"] = sigmaparser.parsedyaml["description"]
eventRule["condition"] = sigmaparser.parsedyaml["detection"]
eventRule["level"] = sigmaparser.parsedyaml["level"]
for parsed in sigmaparser.condparsed:
query = self.generateQuery(parsed)
before = self.generateBefore(parsed)
after = self.generateAfter(parsed)
eventRule["condition"] = ""
if before is not None:
eventRule["condition"] = before
if query is not None:
eventRule["condition"] += query
if after is not None:
eventRule["condition"] += after
return json.dumps(eventRule)
def cleanValue(self, val):
if val.startswith('*'):
val = val.replace("*","/*")
return val
def generateListNode(self, node):
if not set([type(value) for value in node]).issubset({str, int}):
raise TypeError("List values must be strings or numbers")
return self.generateORNode(node)
Reference in New Issue View Git Blame Copy Permalink