From 96751a8d80ee1eaf3549943df4d3a0d1e63c9196 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Sep 2023 23:23:55 +0200 Subject: [PATCH 1/8] feat: small updates and additions --- sigma/exceptions.py | 10 +++ sigma/pipelines/common.py | 108 ++++++++++++++++++++++------ sigma/rule.py | 31 ++++++-- sigma/validators/core/logsources.py | 10 ++- sigma/validators/core/metadata.py | 40 +++++++++++ sigma/validators/core/tags.py | 2 +- tests/test_validators.py | 85 +++++++++++++++++++++- 7 files changed, 257 insertions(+), 29 deletions(-) diff --git a/sigma/exceptions.py b/sigma/exceptions.py index d05fe41f..aca58008 100644 --- a/sigma/exceptions.py +++ b/sigma/exceptions.py @@ -83,6 +83,16 @@ class SigmaDateError(SigmaError): pass +class SigmaFieldsError(SigmaError): + """Error in Sigma rule fields""" + + pass + +class SigmaFalsePositivesError(SigmaError): + """Error in Sigma rule falsepositives""" + + pass + class SigmaStatusError(SigmaError): """Error in Sigma rule status""" diff --git a/sigma/pipelines/common.py b/sigma/pipelines/common.py index 40a01fe5..26ad3fcf 100644 --- a/sigma/pipelines/common.py +++ b/sigma/pipelines/common.py @@ -49,6 +49,14 @@ "shell-core": "Microsoft-Windows-Shell-Core/Operational", "openssh": "OpenSSH/Operational", "bitlocker": "Microsoft-Windows-BitLocker/BitLocker Management", + "vhdmp": "Microsoft-Windows-VHDMP/Operational", + "appxdeployment-server": "Microsoft-Windows-AppXDeploymentServer/Operational", + "lsa-server": "Microsoft-Windows-LSA/Operational", + "appxpackaging-om": "Microsoft-Windows-AppxPackaging/Operational", + "dns-client": "Microsoft-Windows-DNS Client Events/Operational", + "appmodel-runtime": "Microsoft-Windows-AppModel-Runtime/Admin", + "capi2": "Microsoft-Windows-CAPI2/Operational", + "certificateservicesclient-lifecycle-system": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", } @@ -58,6 +66,22 @@ def logsource_windows(service: str) -> LogsourceCondition: service=service, ) +def logsource_linux(service: str) -> LogsourceCondition: + return LogsourceCondition( + product="linux", + service=service, + ) + +def logsource_macos(service: str) -> LogsourceCondition: + return LogsourceCondition( + product="macos", + service=service, + ) + +def logsource_category(category: str) -> LogsourceCondition: + return LogsourceCondition( + category=category, + ) def logsource_windows_process_creation() -> LogsourceCondition: return LogsourceCondition( @@ -66,28 +90,28 @@ def logsource_windows_process_creation() -> LogsourceCondition: ) -def logsource_windows_registry_add(): +def logsource_windows_registry_add() -> LogsourceCondition: return LogsourceCondition( category="registry_add", product="windows", ) -def logsource_windows_registry_set(): +def logsource_windows_registry_set() -> LogsourceCondition: return LogsourceCondition( category="registry_set", product="windows", ) -def logsource_windows_registry_delete(): +def logsource_windows_registry_delete() -> LogsourceCondition: return LogsourceCondition( category="registry_delete", product="windows", ) -def logsource_windows_registry_event(): +def logsource_windows_registry_event() -> LogsourceCondition: return LogsourceCondition( category="registry_event", product="windows", @@ -101,105 +125,105 @@ def logsource_windows_file_change() -> LogsourceCondition: ) -def logsource_windows_file_event(): +def logsource_windows_file_event() -> LogsourceCondition: return LogsourceCondition( category="file_event", product="windows", ) -def logsource_windows_file_delete(): +def logsource_windows_file_delete() -> LogsourceCondition: return LogsourceCondition( category="file_delete", product="windows", ) -def logsource_windows_file_access(): +def logsource_windows_file_access() -> LogsourceCondition: return LogsourceCondition( category="file_access", product="windows", ) -def logsource_windows_file_rename(): +def logsource_windows_file_rename() -> LogsourceCondition: return LogsourceCondition( category="file_rename", product="windows", ) -def logsource_windows_image_load(): +def logsource_windows_image_load() -> LogsourceCondition: return LogsourceCondition( category="image_load", product="windows", ) -def logsource_windows_pipe_created(): +def logsource_windows_pipe_created() -> LogsourceCondition: return LogsourceCondition( category="pipe_created", product="windows", ) -def logsource_windows_ps_classic_start(): +def logsource_windows_ps_classic_start() -> LogsourceCondition: return LogsourceCondition( category="ps_classic_start", product="windows", ) -def logsource_windows_ps_module(): +def logsource_windows_ps_module() -> LogsourceCondition: return LogsourceCondition( category="ps_module", product="windows", ) -def logsource_windows_ps_script(): +def logsource_windows_ps_script() -> LogsourceCondition: return LogsourceCondition( category="ps_script", product="windows", ) -def logsource_windows_process_access(): +def logsource_windows_process_access() -> LogsourceCondition: return LogsourceCondition( category="process_access", product="windows", ) -def logsource_windows_raw_access_thread(): +def logsource_windows_raw_access_thread() -> LogsourceCondition: return LogsourceCondition( category="raw_access_thread", product="windows", ) -def logsource_windows_wmi_event(): +def logsource_windows_wmi_event() -> LogsourceCondition: return LogsourceCondition( category="wmi_event", product="windows", ) -def logsource_windows_driver_load(): +def logsource_windows_driver_load() -> LogsourceCondition: return LogsourceCondition( category="driver_load", product="windows", ) -def logsource_windows_create_stream_hash(): +def logsource_windows_create_stream_hash() -> LogsourceCondition: return LogsourceCondition( category="create_stream_hash", product="windows", ) -def logsource_windows_create_remote_thread(): +def logsource_windows_create_remote_thread() -> LogsourceCondition: return LogsourceCondition( category="create_remote_thread", product="windows", @@ -229,7 +253,7 @@ def logsource_windows_dns_query() -> LogsourceCondition: ) -def logsource_linux_process_creation(): +def logsource_linux_process_creation() -> LogsourceCondition: return LogsourceCondition( category="process_creation", product="linux", @@ -243,12 +267,54 @@ def logsource_linux_network_connection() -> LogsourceCondition: ) -def logsource_linux_file_create(): +def logsource_linux_file_create() -> LogsourceCondition: return LogsourceCondition( category="file_create", product="linux", ) +def logsource_macos_process_creation() -> LogsourceCondition: + return LogsourceCondition( + category="process_creation", + product="macos", + ) + +def logsource_macos_file_create() -> LogsourceCondition: + return LogsourceCondition( + category="file_create", + product="macos", + ) + +def logsource_azure_riskdetection() -> LogsourceCondition: + return LogsourceCondition( + category="riskdetection", + product="azure", + ) + +def logsource_azure_pim() -> LogsourceCondition: + return LogsourceCondition( + category="pim", + product="azure", + ) + +def logsource_azure_auditlogs() -> LogsourceCondition: + return LogsourceCondition( + category="auditlogs", + product="azure", + ) + +def logsource_azure_azureactivity() -> LogsourceCondition: + return LogsourceCondition( + category="azureactivity", + product="azure", + ) + +def logsource_azure_signinlogs() -> LogsourceCondition: + return LogsourceCondition( + category="signinlogs", + product="azure", + ) + def generate_windows_logsource_items( cond_field_template: str, diff --git a/sigma/rule.py b/sigma/rule.py index bfc2b436..48bb6dd8 100644 --- a/sigma/rule.py +++ b/sigma/rule.py @@ -672,14 +672,21 @@ def from_dict( # Rule status validation status = rule.get("status") if status is not None: - try: - status = SigmaStatus[status.upper()] - except KeyError: + if isinstance(status, list): errors.append( sigma_exceptions.SigmaStatusError( - f"'{ status }' is no valid Sigma rule status", source=source + "Sigma rule status cannot be a list", source=source ) ) + else: + try: + status = SigmaStatus[status.upper()] + except KeyError: + errors.append( + sigma_exceptions.SigmaStatusError( + f"'{ status }' is no valid Sigma rule status", source=source + ) + ) # parse rule date if existing rule_date = rule.get("date") @@ -701,7 +708,23 @@ def from_dict( # validate fields rule_fields = rule.get("fields") if rule_fields is not None and not isinstance(rule_fields, list): + errors.append( + sigma_exceptions.SigmaFieldsError( + "Sigma rule fields must be a list", + source=source, + ) + ) raise SigmaTypeError("Sigma rule fields must be a list", source=source) + + # validate falsepositives + rule_falsepositives = rule.get("falsepositives") + if rule_falsepositives is not None and not isinstance(rule_fields, list): + errors.append( + sigma_exceptions.SigmaFalsePositivesError( + "Sigma rule falsepositives must be a list", + source=source, + ) + ) # parse log source logsource = None diff --git a/sigma/validators/core/logsources.py b/sigma/validators/core/logsources.py index 157b7dd7..c94661aa 100644 --- a/sigma/validators/core/logsources.py +++ b/sigma/validators/core/logsources.py @@ -17,6 +17,7 @@ 2: "file_change", 3: "network_connection", 5: "process_termination", + 4: "sysmon_status", 6: "driver_load", 7: "image_load", 8: "create_remote_thread", @@ -31,6 +32,7 @@ 13: "registry_event", 14: "registry_event", 15: "create_stream_hash", + 16: "sysmon_status", 17: "pipe_created", 18: "pipe_created", 19: "wmi_event", @@ -39,7 +41,13 @@ 22: "dns_query", 23: "file_delete", 26: "file_delete", - 24: "clipboard_capture", + 24: "clipboard_change", + 25: "process_tampering", + 26: "file_delete_detected", + 27: "file_block_executable", + 28: "file_block_shredding", + 29: "file_executable_detected", + 255: "sysmon_error", }, SigmaLogSource(None, "windows", "security"): { 4688: "process_creation", diff --git a/sigma/validators/core/metadata.py b/sigma/validators/core/metadata.py index f88c3089..a3839d23 100644 --- a/sigma/validators/core/metadata.py +++ b/sigma/validators/core/metadata.py @@ -50,3 +50,43 @@ def finalize(self) -> List[SigmaValidationIssue]: return [ IdentifierCollisionIssue(rules, id) for id, rules in self.ids.items() if len(rules) > 1 ] + +@dataclass +class TitleLengthIssue(SigmaValidationIssue): + description = "Rule has a title longer than 100 characters" + severity = SigmaValidationIssueSeverity.MEDIUM + + +class TitleLengthValidator(SigmaRuleValidator): + """Checks if rule has a title length longer than 100.""" + + def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]: + if len(rule.title) > 100: + return [TitleLengthIssue([rule])] + else: + return [] + +@dataclass +class DuplicateTitleIssue(SigmaValidationIssue): + description: ClassVar[str] = "Rule title used by multiple rules" + severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.HIGH + title: str + + +class DuplicateTitleValidator(SigmaRuleValidator): + """Check rule title uniqueness.""" + + titles: Dict[str, List[SigmaRule]] + + def __init__(self): + self.titles = defaultdict(list) + + def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]: + if rule.title is not None: + self.titles[rule.title].append(rule) + return [] + + def finalize(self) -> List[SigmaValidationIssue]: + return [ + DuplicateTitleIssue(rules, title) for title, rules in self.titles.items() if len(rules) > 1 + ] \ No newline at end of file diff --git a/sigma/validators/core/tags.py b/sigma/validators/core/tags.py index ae3c0a4c..105258c8 100644 --- a/sigma/validators/core/tags.py +++ b/sigma/validators/core/tags.py @@ -87,7 +87,7 @@ class TLPTagValidator(TLPTagValidatorBase): @dataclass class DuplicateTagIssue(SigmaValidationIssue): - description: ClassVar[str] = "The same tag appears mutliple times" + description: ClassVar[str] = "The same tag appears multiple times" severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.MEDIUM tag: SigmaRuleTag diff --git a/tests/test_validators.py b/tests/test_validators.py index 78cc027c..3b1584a4 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -8,7 +8,7 @@ SigmaBase64OffsetModifier, SigmaContainsModifier, ) -from sigma.rule import SigmaDetectionItem, SigmaLogSource, SigmaRule, SigmaRuleTag +from sigma.rule import SigmaDetectionItem, SigmaLogSource, SigmaRule, SigmaRuleTag, SigmaRuleTitle from sigma.types import SigmaString from sigma.validators.core.logsources import ( SpecificInsteadOfGenericLogsourceValidator, @@ -19,6 +19,10 @@ IdentifierExistenceIssue, IdentifierExistenceValidator, IdentifierUniquenessValidator, + TitleLengthIssue, + TitleLengthValidator, + DuplicateTitleIssue, + DuplicateTitleValidator, ) from sigma.validators.core.condition import ( AllOfThemConditionIssue, @@ -259,7 +263,7 @@ def test_validator_them_condition_with_multiple_detection(): assert validator.validate(rule) == [] -def test_validator_all_of_then(): +def test_validator_all_of_them(): validator = AllOfThemConditionValidator() rule = SigmaRule.from_yaml( """ @@ -811,3 +815,80 @@ def test_validator_escaped_wildcard_valid(): """ ) assert validator.validate(rule) == [] + +def test_validator_lengthy_title(): + validator = TitleLengthValidator() + rule = SigmaRule.from_yaml( + """ + title: ThisIsAVeryLongTitleThisIsAVeryLongTitleThisIsAVeryLongTitleThisIsAVeryLongTitleThisIsAVeryLongTitleT + status: test + logsource: + category: test + detection: + sel: + field: path\\*something + condition: sel + """ + ) + assert validator.validate(rule) == [TitleLengthIssue([rule])] + +def test_validator_lengthy_title_valid(): + validator = TitleLengthValidator() + rule = SigmaRule.from_yaml( + """ + title: Test + status: test + logsource: + category: test + detection: + sel: + field: path\\*something + condition: sel + """ + ) + assert validator.validate(rule) == [] + +def test_validator_duplicate_title(): + validator = DuplicateTitleValidator() + rule = SigmaRule.from_yaml( + """ + title: Test + status: test + logsource: + category: test + detection: + sel: + field: value + condition: sel + """ + ) + assert validator.validate(rule) == [DuplicateTitleIssue([rule])] + +def test_validator_duplicate_title_valid(): + validator = DuplicateTitleValidator() + rule1 = SigmaRule.from_yaml( + """ + title: Test1 + status: test + logsource: + category: test + detection: + sel: + field: value + condition: sel + """ + ) + + rule2 = SigmaRule.from_yaml( + """ + title: Test2 + status: test + logsource: + category: test + detection: + sel: + field: value + condition: sel + """ + ) + assert validator.validate(rule1) == validator.validate(rule2) \ No newline at end of file From 18a608d7436e671f46fc11dda179dd1fb33f0c95 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Sep 2023 23:30:28 +0200 Subject: [PATCH 2/8] Update rule.py --- sigma/rule.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sigma/rule.py b/sigma/rule.py index 48bb6dd8..556c8329 100644 --- a/sigma/rule.py +++ b/sigma/rule.py @@ -672,7 +672,7 @@ def from_dict( # Rule status validation status = rule.get("status") if status is not None: - if isinstance(status, list): + if not isinstance(status, str): errors.append( sigma_exceptions.SigmaStatusError( "Sigma rule status cannot be a list", source=source From 20fa09db1cb28ea52f9c27197f4fc9a59d954bab Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Sep 2023 23:39:32 +0200 Subject: [PATCH 3/8] fix: reformat code --- sigma/exceptions.py | 2 ++ sigma/pipelines/common.py | 11 +++++++++++ sigma/rule.py | 2 +- sigma/validators/core/metadata.py | 8 ++++++-- tests/test_validators.py | 6 +++++- 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/sigma/exceptions.py b/sigma/exceptions.py index aca58008..b83f8925 100644 --- a/sigma/exceptions.py +++ b/sigma/exceptions.py @@ -83,11 +83,13 @@ class SigmaDateError(SigmaError): pass + class SigmaFieldsError(SigmaError): """Error in Sigma rule fields""" pass + class SigmaFalsePositivesError(SigmaError): """Error in Sigma rule falsepositives""" diff --git a/sigma/pipelines/common.py b/sigma/pipelines/common.py index 26ad3fcf..cf58e239 100644 --- a/sigma/pipelines/common.py +++ b/sigma/pipelines/common.py @@ -66,23 +66,27 @@ def logsource_windows(service: str) -> LogsourceCondition: service=service, ) + def logsource_linux(service: str) -> LogsourceCondition: return LogsourceCondition( product="linux", service=service, ) + def logsource_macos(service: str) -> LogsourceCondition: return LogsourceCondition( product="macos", service=service, ) + def logsource_category(category: str) -> LogsourceCondition: return LogsourceCondition( category=category, ) + def logsource_windows_process_creation() -> LogsourceCondition: return LogsourceCondition( category="process_creation", @@ -273,42 +277,49 @@ def logsource_linux_file_create() -> LogsourceCondition: product="linux", ) + def logsource_macos_process_creation() -> LogsourceCondition: return LogsourceCondition( category="process_creation", product="macos", ) + def logsource_macos_file_create() -> LogsourceCondition: return LogsourceCondition( category="file_create", product="macos", ) + def logsource_azure_riskdetection() -> LogsourceCondition: return LogsourceCondition( category="riskdetection", product="azure", ) + def logsource_azure_pim() -> LogsourceCondition: return LogsourceCondition( category="pim", product="azure", ) + def logsource_azure_auditlogs() -> LogsourceCondition: return LogsourceCondition( category="auditlogs", product="azure", ) + def logsource_azure_azureactivity() -> LogsourceCondition: return LogsourceCondition( category="azureactivity", product="azure", ) + def logsource_azure_signinlogs() -> LogsourceCondition: return LogsourceCondition( category="signinlogs", diff --git a/sigma/rule.py b/sigma/rule.py index 556c8329..91c32646 100644 --- a/sigma/rule.py +++ b/sigma/rule.py @@ -715,7 +715,7 @@ def from_dict( ) ) raise SigmaTypeError("Sigma rule fields must be a list", source=source) - + # validate falsepositives rule_falsepositives = rule.get("falsepositives") if rule_falsepositives is not None and not isinstance(rule_fields, list): diff --git a/sigma/validators/core/metadata.py b/sigma/validators/core/metadata.py index a3839d23..a7f77376 100644 --- a/sigma/validators/core/metadata.py +++ b/sigma/validators/core/metadata.py @@ -51,6 +51,7 @@ def finalize(self) -> List[SigmaValidationIssue]: IdentifierCollisionIssue(rules, id) for id, rules in self.ids.items() if len(rules) > 1 ] + @dataclass class TitleLengthIssue(SigmaValidationIssue): description = "Rule has a title longer than 100 characters" @@ -66,6 +67,7 @@ def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]: else: return [] + @dataclass class DuplicateTitleIssue(SigmaValidationIssue): description: ClassVar[str] = "Rule title used by multiple rules" @@ -88,5 +90,7 @@ def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]: def finalize(self) -> List[SigmaValidationIssue]: return [ - DuplicateTitleIssue(rules, title) for title, rules in self.titles.items() if len(rules) > 1 - ] \ No newline at end of file + DuplicateTitleIssue(rules, title) + for title, rules in self.titles.items() + if len(rules) > 1 + ] diff --git a/tests/test_validators.py b/tests/test_validators.py index 3b1584a4..6d3f0b99 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -816,6 +816,7 @@ def test_validator_escaped_wildcard_valid(): ) assert validator.validate(rule) == [] + def test_validator_lengthy_title(): validator = TitleLengthValidator() rule = SigmaRule.from_yaml( @@ -832,6 +833,7 @@ def test_validator_lengthy_title(): ) assert validator.validate(rule) == [TitleLengthIssue([rule])] + def test_validator_lengthy_title_valid(): validator = TitleLengthValidator() rule = SigmaRule.from_yaml( @@ -848,6 +850,7 @@ def test_validator_lengthy_title_valid(): ) assert validator.validate(rule) == [] + def test_validator_duplicate_title(): validator = DuplicateTitleValidator() rule = SigmaRule.from_yaml( @@ -864,6 +867,7 @@ def test_validator_duplicate_title(): ) assert validator.validate(rule) == [DuplicateTitleIssue([rule])] + def test_validator_duplicate_title_valid(): validator = DuplicateTitleValidator() rule1 = SigmaRule.from_yaml( @@ -891,4 +895,4 @@ def test_validator_duplicate_title_valid(): condition: sel """ ) - assert validator.validate(rule1) == validator.validate(rule2) \ No newline at end of file + assert validator.validate(rule1) == validator.validate(rule2) From 5ed563adfa0c492de6777d41d48371896c3394db Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Sep 2023 23:51:10 +0200 Subject: [PATCH 4/8] Update test_validators.py --- tests/test_validators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_validators.py b/tests/test_validators.py index 6d3f0b99..9e894abb 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -8,7 +8,7 @@ SigmaBase64OffsetModifier, SigmaContainsModifier, ) -from sigma.rule import SigmaDetectionItem, SigmaLogSource, SigmaRule, SigmaRuleTag, SigmaRuleTitle +from sigma.rule import SigmaDetectionItem, SigmaLogSource, SigmaRule, SigmaRuleTag from sigma.types import SigmaString from sigma.validators.core.logsources import ( SpecificInsteadOfGenericLogsourceValidator, From ef4643844b0db59cb82b943054c5d92494c015c9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Sep 2023 23:56:47 +0200 Subject: [PATCH 5/8] Update test_validators.py --- tests/test_validators.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/test_validators.py b/tests/test_validators.py index 9e894abb..8fd20b3a 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -778,6 +778,12 @@ def test_validator_sysmon_insteadof_generic_logsource(): event_id=7, generic_logsource=SigmaLogSource("image_load"), ), + SpecificInsteadOfGenericLogsourceIssue( + rules=[rule], + logsource=logsource_sysmon, + event_id=7, + generic_logsource=SigmaLogSource("sysmon_error"), + ), ] @@ -865,7 +871,7 @@ def test_validator_duplicate_title(): condition: sel """ ) - assert validator.validate(rule) == [DuplicateTitleIssue([rule])] + assert validator.validate(rule) == [DuplicateTitleIssue([rule, "Test"])] def test_validator_duplicate_title_valid(): From fcdf85fe01b6e0d873718beb3fc473547b018baa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Sep 2023 23:59:46 +0200 Subject: [PATCH 6/8] Update test_validators.py --- tests/test_validators.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/tests/test_validators.py b/tests/test_validators.py index 8fd20b3a..500278fa 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -759,7 +759,7 @@ def test_validator_sysmon_insteadof_generic_logsource(): sel: EventID: - 1 - - 255 + - 999 - 7 condition: sel """ @@ -778,12 +778,6 @@ def test_validator_sysmon_insteadof_generic_logsource(): event_id=7, generic_logsource=SigmaLogSource("image_load"), ), - SpecificInsteadOfGenericLogsourceIssue( - rules=[rule], - logsource=logsource_sysmon, - event_id=7, - generic_logsource=SigmaLogSource("sysmon_error"), - ), ] @@ -871,7 +865,7 @@ def test_validator_duplicate_title(): condition: sel """ ) - assert validator.validate(rule) == [DuplicateTitleIssue([rule, "Test"])] + assert validator.validate(rule) == [DuplicateTitleIssue([rule], "Test")] def test_validator_duplicate_title_valid(): From ab34808ae2742d529f5c09f8c3ff7d6c522b2889 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 17 Sep 2023 00:01:52 +0200 Subject: [PATCH 7/8] Update test_validators.py --- tests/test_validators.py | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/tests/test_validators.py b/tests/test_validators.py index 500278fa..77175803 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -853,9 +853,9 @@ def test_validator_lengthy_title_valid(): def test_validator_duplicate_title(): validator = DuplicateTitleValidator() - rule = SigmaRule.from_yaml( + rule1 = SigmaRule.from_yaml( """ - title: Test + title: Test1 status: test logsource: category: test @@ -865,14 +865,10 @@ def test_validator_duplicate_title(): condition: sel """ ) - assert validator.validate(rule) == [DuplicateTitleIssue([rule], "Test")] - -def test_validator_duplicate_title_valid(): - validator = DuplicateTitleValidator() - rule1 = SigmaRule.from_yaml( + rule2 = SigmaRule.from_yaml( """ - title: Test1 + title: Test2 status: test logsource: category: test @@ -882,10 +878,13 @@ def test_validator_duplicate_title_valid(): condition: sel """ ) + assert validator.validate(rule1) == validator.validate(rule2) - rule2 = SigmaRule.from_yaml( +def test_validator_duplicate_title_valid(): + validator = DuplicateTitleValidator() + rule = SigmaRule.from_yaml( """ - title: Test2 + title: Test status: test logsource: category: test @@ -895,4 +894,4 @@ def test_validator_duplicate_title_valid(): condition: sel """ ) - assert validator.validate(rule1) == validator.validate(rule2) + assert validator.validate(rule) == [] \ No newline at end of file From 25a9c7a3ac843122f8e9993bec504de7b28b3528 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 17 Sep 2023 00:03:04 +0200 Subject: [PATCH 8/8] Update test_validators.py --- tests/test_validators.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/test_validators.py b/tests/test_validators.py index 77175803..5bad4c61 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -880,6 +880,7 @@ def test_validator_duplicate_title(): ) assert validator.validate(rule1) == validator.validate(rule2) + def test_validator_duplicate_title_valid(): validator = DuplicateTitleValidator() rule = SigmaRule.from_yaml( @@ -894,4 +895,4 @@ def test_validator_duplicate_title_valid(): condition: sel """ ) - assert validator.validate(rule) == [] \ No newline at end of file + assert validator.validate(rule) == []