Skip to content

Commit

Permalink
Merge pull request #147 from nasbench/updates
Browse files Browse the repository at this point in the history 
feat: small updates and additions
  • Loading branch information
@thomaspatzke
thomaspatzke authored Sep 18, 2023
2 parents 8644d50 + 25a9c7a commit 6f1c588
Show file tree
Hide file tree
Showing 7 changed files with 278 additions and 29 deletions.
12 changes: 12 additions & 0 deletions sigma/exceptions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,18 @@ class SigmaDateError(SigmaError):
pass


class SigmaFieldsError(SigmaError):
"""Error in Sigma rule fields"""

pass


class SigmaFalsePositivesError(SigmaError):
"""Error in Sigma rule falsepositives"""

pass


class SigmaStatusError(SigmaError):
"""Error in Sigma rule status"""

Expand Down
119 changes: 98 additions & 21 deletions sigma/pipelines/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,14 @@
"shell-core": "Microsoft-Windows-Shell-Core/Operational",
"openssh": "OpenSSH/Operational",
"bitlocker": "Microsoft-Windows-BitLocker/BitLocker Management",
"vhdmp": "Microsoft-Windows-VHDMP/Operational",
"appxdeployment-server": "Microsoft-Windows-AppXDeploymentServer/Operational",
"lsa-server": "Microsoft-Windows-LSA/Operational",
"appxpackaging-om": "Microsoft-Windows-AppxPackaging/Operational",
"dns-client": "Microsoft-Windows-DNS Client Events/Operational",
"appmodel-runtime": "Microsoft-Windows-AppModel-Runtime/Admin",
"capi2": "Microsoft-Windows-CAPI2/Operational",
"certificateservicesclient-lifecycle-system": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
}


Expand All @@ -59,35 +67,55 @@ def logsource_windows(service: str) -> LogsourceCondition:
)


def logsource_linux(service: str) -> LogsourceCondition:
return LogsourceCondition(
product="linux",
service=service,
)


def logsource_macos(service: str) -> LogsourceCondition:
return LogsourceCondition(
product="macos",
service=service,
)


def logsource_category(category: str) -> LogsourceCondition:
return LogsourceCondition(
category=category,
)


def logsource_windows_process_creation() -> LogsourceCondition:
return LogsourceCondition(
category="process_creation",
product="windows",
)


def logsource_windows_registry_add():
def logsource_windows_registry_add() -> LogsourceCondition:
return LogsourceCondition(
category="registry_add",
product="windows",
)


def logsource_windows_registry_set():
def logsource_windows_registry_set() -> LogsourceCondition:
return LogsourceCondition(
category="registry_set",
product="windows",
)


def logsource_windows_registry_delete():
def logsource_windows_registry_delete() -> LogsourceCondition:
return LogsourceCondition(
category="registry_delete",
product="windows",
)


def logsource_windows_registry_event():
def logsource_windows_registry_event() -> LogsourceCondition:
return LogsourceCondition(
category="registry_event",
product="windows",
Expand All @@ -101,105 +129,105 @@ def logsource_windows_file_change() -> LogsourceCondition:
)


def logsource_windows_file_event():
def logsource_windows_file_event() -> LogsourceCondition:
return LogsourceCondition(
category="file_event",
product="windows",
)


def logsource_windows_file_delete():
def logsource_windows_file_delete() -> LogsourceCondition:
return LogsourceCondition(
category="file_delete",
product="windows",
)


def logsource_windows_file_access():
def logsource_windows_file_access() -> LogsourceCondition:
return LogsourceCondition(
category="file_access",
product="windows",
)


def logsource_windows_file_rename():
def logsource_windows_file_rename() -> LogsourceCondition:
return LogsourceCondition(
category="file_rename",
product="windows",
)


def logsource_windows_image_load():
def logsource_windows_image_load() -> LogsourceCondition:
return LogsourceCondition(
category="image_load",
product="windows",
)


def logsource_windows_pipe_created():
def logsource_windows_pipe_created() -> LogsourceCondition:
return LogsourceCondition(
category="pipe_created",
product="windows",
)


def logsource_windows_ps_classic_start():
def logsource_windows_ps_classic_start() -> LogsourceCondition:
return LogsourceCondition(
category="ps_classic_start",
product="windows",
)


def logsource_windows_ps_module():
def logsource_windows_ps_module() -> LogsourceCondition:
return LogsourceCondition(
category="ps_module",
product="windows",
)


def logsource_windows_ps_script():
def logsource_windows_ps_script() -> LogsourceCondition:
return LogsourceCondition(
category="ps_script",
product="windows",
)


def logsource_windows_process_access():
def logsource_windows_process_access() -> LogsourceCondition:
return LogsourceCondition(
category="process_access",
product="windows",
)


def logsource_windows_raw_access_thread():
def logsource_windows_raw_access_thread() -> LogsourceCondition:
return LogsourceCondition(
category="raw_access_thread",
product="windows",
)


def logsource_windows_wmi_event():
def logsource_windows_wmi_event() -> LogsourceCondition:
return LogsourceCondition(
category="wmi_event",
product="windows",
)


def logsource_windows_driver_load():
def logsource_windows_driver_load() -> LogsourceCondition:
return LogsourceCondition(
category="driver_load",
product="windows",
)


def logsource_windows_create_stream_hash():
def logsource_windows_create_stream_hash() -> LogsourceCondition:
return LogsourceCondition(
category="create_stream_hash",
product="windows",
)


def logsource_windows_create_remote_thread():
def logsource_windows_create_remote_thread() -> LogsourceCondition:
return LogsourceCondition(
category="create_remote_thread",
product="windows",
Expand Down Expand Up @@ -229,7 +257,7 @@ def logsource_windows_dns_query() -> LogsourceCondition:
)


def logsource_linux_process_creation():
def logsource_linux_process_creation() -> LogsourceCondition:
return LogsourceCondition(
category="process_creation",
product="linux",
Expand All @@ -243,13 +271,62 @@ def logsource_linux_network_connection() -> LogsourceCondition:
)


def logsource_linux_file_create():
def logsource_linux_file_create() -> LogsourceCondition:
return LogsourceCondition(
category="file_create",
product="linux",
)


def logsource_macos_process_creation() -> LogsourceCondition:
return LogsourceCondition(
category="process_creation",
product="macos",
)


def logsource_macos_file_create() -> LogsourceCondition:
return LogsourceCondition(
category="file_create",
product="macos",
)


def logsource_azure_riskdetection() -> LogsourceCondition:
return LogsourceCondition(
category="riskdetection",
product="azure",
)


def logsource_azure_pim() -> LogsourceCondition:
return LogsourceCondition(
category="pim",
product="azure",
)


def logsource_azure_auditlogs() -> LogsourceCondition:
return LogsourceCondition(
category="auditlogs",
product="azure",
)


def logsource_azure_azureactivity() -> LogsourceCondition:
return LogsourceCondition(
category="azureactivity",
product="azure",
)


def logsource_azure_signinlogs() -> LogsourceCondition:
return LogsourceCondition(
category="signinlogs",
product="azure",
)


def generate_windows_logsource_items(
cond_field_template: str,
cond_value_template: str,
Expand Down
31 changes: 27 additions & 4 deletions sigma/rule.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -672,14 +672,21 @@ def from_dict(
# Rule status validation
status = rule.get("status")
if status is not None:
try:
status = SigmaStatus[status.upper()]
except KeyError:
if not isinstance(status, str):
errors.append(
sigma_exceptions.SigmaStatusError(
f"'{ status }' is no valid Sigma rule status", source=source
"Sigma rule status cannot be a list", source=source
)
)
else:
try:
status = SigmaStatus[status.upper()]
except KeyError:
errors.append(
sigma_exceptions.SigmaStatusError(
f"'{ status }' is no valid Sigma rule status", source=source
)
)

# parse rule date if existing
rule_date = rule.get("date")
Expand All @@ -701,8 +708,24 @@ def from_dict(
# validate fields
rule_fields = rule.get("fields")
if rule_fields is not None and not isinstance(rule_fields, list):
errors.append(
sigma_exceptions.SigmaFieldsError(
"Sigma rule fields must be a list",
source=source,
)
)
raise SigmaTypeError("Sigma rule fields must be a list", source=source)

# validate falsepositives
rule_falsepositives = rule.get("falsepositives")
if rule_falsepositives is not None and not isinstance(rule_fields, list):
errors.append(
sigma_exceptions.SigmaFalsePositivesError(
"Sigma rule falsepositives must be a list",
source=source,
)
)

# parse log source
logsource = None
try:
Expand Down
10 changes: 9 additions & 1 deletion sigma/validators/core/logsources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
2: "file_change",
3: "network_connection",
5: "process_termination",
4: "sysmon_status",
6: "driver_load",
7: "image_load",
8: "create_remote_thread",
Expand All @@ -31,6 +32,7 @@
13: "registry_event",
14: "registry_event",
15: "create_stream_hash",
16: "sysmon_status",
17: "pipe_created",
18: "pipe_created",
19: "wmi_event",
Expand All @@ -39,7 +41,13 @@
22: "dns_query",
23: "file_delete",
26: "file_delete",
24: "clipboard_capture",
24: "clipboard_change",
25: "process_tampering",
26: "file_delete_detected",
27: "file_block_executable",
28: "file_block_shredding",
29: "file_executable_detected",
255: "sysmon_error",
},
SigmaLogSource(None, "windows", "security"): {
4688: "process_creation",
Expand Down
Loading

0 comments on commit 6f1c588

Please sign in to comment.