From 9e89eea0b007862bc94037baa3a178032bd93b03 Mon Sep 17 00:00:00 2001 From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Date: Wed, 27 May 2020 23:39:03 +0200 Subject: [PATCH] #192 for confluence --- scripts/detectionrule.py | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/scripts/detectionrule.py b/scripts/detectionrule.py index 2b71b3e..8a3761c 100755 --- a/scripts/detectionrule.py +++ b/scripts/detectionrule.py @@ -227,10 +227,30 @@ class DetectionRule: det_queries = {} for output in queries: - cmd = ATCconfig.get('sigmac_path') + \ - ' --shoot-yourself-in-the-foot -t "' + \ - output + '" --ignore-backend-errors "' + self.yaml_file + \ - '" 2> /dev/null' + if output == "powershell": + cmd = ATCconfig.get('sigmac_path') + " -t " + output + \ + " --config " + ATCconfig.get('powershell_sigma_config') + \ + " --ignore-backend-errors " + self.yaml_file + elif output == "es-qs": + cmd = ATCconfig.get('sigmac_path') + " -t " + output + \ + " --config " + ATCconfig.get('es-qs_sigma_config') + \ + " --ignore-backend-errors " + self.yaml_file + elif output == "xpack-watcher": + cmd = ATCconfig.get('sigmac_path') + " -t " + output + \ + " --config " + ATCconfig.get('xpack-watcher_sigma_config') + \ + " --ignore-backend-errors " + self.yaml_file + elif output == "splunk": + cmd = ATCconfig.get('sigmac_path') + " -t " + output + \ + " --config " + ATCconfig.get('splunk_sigma_config') + \ + " --ignore-backend-errors " + self.yaml_file + elif output == "logpoint": + cmd = ATCconfig.get('sigmac_path') + " -t " + output + \ + " --config " + ATCconfig.get('logpoint_sigma_config') + \ + " --ignore-backend-errors " + self.yaml_file + else: + cmd = ATCconfig.get('sigmac_path') + ' --shoot-yourself-in-the-foot -t "' + \ + output + '" --ignore-backend-errors "' + self.yaml_file + '"' + p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) (query, err) = p.communicate() # Wait for date to terminate. Get return returncode ##