misp-modules/misp_modules/modules/expansion/sigma_queries.py

import io
import json
try:
    from sigma.parser.collection import SigmaCollectionParser
    from sigma.configuration import SigmaConfiguration
    from sigma.backends.discovery import getBackend
except ImportError:
    print("sigma or yaml is missing, use 'pip3 install sigmatools' to install it.")

misperrors = {'error': 'Error'}
mispattributes = {'input': ['sigma'], 'output': ['text']}
moduleinfo = {
    'version': '0.1',
    'author': 'Christian Studer',
    'module-type': ['expansion', 'hover'],
    'name': 'Sigma Rule Converter',
    'description': 'An expansion hover module to display the result of sigma queries.',
    'logo': 'sigma.png',
    'requirements': ['Sigma python library'],
    'features': 'This module takes a Sigma rule attribute as input and tries all the different queries available to convert it into different formats recognized by SIEMs.',
    'references': ['https://github.com/Neo23x0/sigma/wiki'],
    'input': 'A Sigma attribute.',
    'output': 'Text displaying results of queries on the Sigma attribute.',
}
moduleconfig = []
sigma_targets = ('es-dsl', 'es-qs', 'graylog', 'kibana', 'xpack-watcher', 'logpoint', 'splunk', 'grep', 'mdatp', 'splunkxml', 'arcsight', 'qualys')


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    if not request.get('sigma'):
        misperrors['error'] = 'Sigma rule missing'
        return misperrors
    config = SigmaConfiguration()
    f = io.TextIOWrapper(io.BytesIO(request.get('sigma').encode()), encoding='utf-8')
    parser = SigmaCollectionParser(f, config)
    targets = []
    results = []
    for t in sigma_targets:
        backend = getBackend(t)(config, {'rulecomment': False})
        try:
            parser.generate(backend)
            result = backend.finalize()
            if result:
                results.append(result)
                targets.append(t)
        except Exception:
            continue
    d_result = {t: r.strip() for t, r in zip(targets, results)}
    return {'results': [{'types': mispattributes['output'], 'values': d_result}]}


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`import io`
			`import json`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`try:`
fix: Change in the imports in other sigma module 2019-01-21 14:14:19 +01:00			`from sigma.parser.collection import SigmaCollectionParser`
			`from sigma.configuration import SigmaConfiguration`
			`from sigma.backends.discovery import getBackend`
fix: Making python 3.5 happy with the exception type ImportError 2018-09-08 02:53:15 +02:00			`except ImportError:`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`print("sigma or yaml is missing, use 'pip3 install sigmatools' to install it.")`

			`misperrors = {'error': 'Error'}`
			`mispattributes = {'input': ['sigma'], 'output': ['text']}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '0.1',`
			`'author': 'Christian Studer',`
			`'module-type': ['expansion', 'hover'],`
			`'name': 'Sigma Rule Converter',`
			`'description': 'An expansion hover module to display the result of sigma queries.',`
			`'logo': 'sigma.png',`
			`'requirements': ['Sigma python library'],`
			`'features': 'This module takes a Sigma rule attribute as input and tries all the different queries available to convert it into different formats recognized by SIEMs.',`
			`'references': ['https://github.com/Neo23x0/sigma/wiki'],`
			`'input': 'A Sigma attribute.',`
			`'output': 'Text displaying results of queries on the Sigma attribute.',`
			`}`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`moduleconfig = []`
fix: Fixed list of sigma backends 2020-07-03 10:10:24 +02:00			`sigma_targets = ('es-dsl', 'es-qs', 'graylog', 'kibana', 'xpack-watcher', 'logpoint', 'splunk', 'grep', 'mdatp', 'splunkxml', 'arcsight', 'qualys')`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
			`if not request.get('sigma'):`
			`misperrors['error'] = 'Sigma rule missing'`
			`return misperrors`
			`config = SigmaConfiguration()`
			`f = io.TextIOWrapper(io.BytesIO(request.get('sigma').encode()), encoding='utf-8')`
fix: Support of the latest version of sigmatools 2019-06-15 08:06:47 +02:00			`parser = SigmaCollectionParser(f, config)`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`targets = []`
fix: Support of the latest version of sigmatools 2019-06-15 08:06:47 +02:00			`results = []`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`for t in sigma_targets:`
fix: Support of the latest version of sigmatools 2019-06-15 08:06:47 +02:00			`backend = getBackend(t)(config, {'rulecomment': False})`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`try:`
			`parser.generate(backend)`
fix: Support of the latest version of sigmatools 2019-06-15 08:06:47 +02:00			`result = backend.finalize()`
			`if result:`
			`results.append(result)`
			`targets.append(t)`
fix: Making travis happy 2019-06-15 08:17:29 +02:00			`except Exception:`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`continue`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`d_result = {t: r.strip() for t, r in zip(targets, results)}`
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`return {'results': [{'types': mispattributes['output'], 'values': d_result}]}`

fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`def introspection():`
			`return mispattributes`

fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
add: Experimental expansion module to display the SIEM signatures from a sigma rule 2018-07-11 23:43:42 +02:00			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`