Merge pull request #33 from Yamato-Security/enable-expand-fieldref

feat: Keep `expand` `fieldref` modifier as is
Yamato-Security · Dec 28, 2024 · c66cc4c · c66cc4c
2 parents 6f2ee40 + 9244ab3
commit c66cc4c
Showing 1 changed file with 2 additions and 18 deletions.
diff --git a/sigma-to-hayabusa-converter.py b/sigma-to-hayabusa-converter.py
@@ -155,20 +155,6 @@ def referenced_rule_is_uuid(obj: dict) -> bool:
     except ValueError:
         return False
 
-def contains_fieldref_key(obj):
-    if isinstance(obj, dict):
-        for key, value in obj.copy().items():
-            if 'fieldref' in key:
-                obj.pop(key)
-                obj[key.replace('fieldref', 'equalsfield')] = value
-                return True
-            if contains_fieldref_key(value):
-                return True
-    elif isinstance(obj, list):
-        for item in obj:
-            if contains_fieldref_key(item):
-                return True
-    return False
 
 @dataclass(frozen=True)
 class LogSource:
@@ -362,7 +348,7 @@ def check_and_get_logsource(self, obj: dict) -> list[LogSource]:
             return []
         keys = get_terminal_keys_recursive(obj["detection"], [])
         modifiers = {re.sub(r".*\|", "", k) for k in keys if "|" in k}
-        convertible = ["all", "base64", "base64offset", "cidr", "contains", "endswith", "endswithfield", "equalsfield", "cased", "exists",
+        convertible = ["all", "base64", "base64offset", "cidr", "contains", "endswith", "endswithfield", "equalsfield", "cased", "exists", "expand",
                        "re", "i", "m", "s", "startswith", "windash", "fieldref", "gt", "gte", "lt", "lte", "utf16", "utf16be", "utf16le", "wide"]
         if modifiers and [m for m in modifiers if m not in convertible]:
             LOGGER.error(f"This rule has incompatible field: {obj['detection']}. Conversion skipped.")
@@ -434,7 +420,6 @@ def convert(self):
                 return  # ログソースマッピングにないcategory/serviceのため、変換処理はスキップ
             for ls in logsources:
                 new_obj = self.convert_rule(obj_list[0], ls)
-                contains_fieldref_key(new_obj)
                 if not new_obj:
                     return
                 if ls.service == "sysmon":
@@ -525,6 +510,7 @@ def build_out_path(base_dir: str, out_dir: str, sigma_path: str, sysmon: bool) -
     new_path = new_path.replace('/rules-dfir', '/dfir')
     new_path = new_path.replace('/rules-emerging-threats', '/emerging-threats')
     new_path = new_path.replace('/rules-threat-hunting', '/threat-hunting')
+    new_path = new_path.replace('/rules-placeholder', '/placeholder')
     new_path = new_path.replace('/rules', '')
     if sysmon:
         return out_dir + '/sysmon' + new_path
@@ -625,8 +611,6 @@ def find_windows_sigma_rule_files(root: str, rule_pattern: str):
             filepath = os.path.join(dirpath, filename)
             if not any(target in dirpath for target in ["rule", "deprecated", "unsupported"]):
                 continue  # フォルダパスにrule/deprecated/unsupportedがつかないものは、Sigmaルールと関係ないため、除外
-            if  any(target in dirpath for target in ["rules-placeholder"]):
-                continue  # rules-placeholderはサポートしていないため、除外
             try:
                 with open(filepath, encoding="utf-8") as f:
                     yaml = ruamel.yaml.YAML()