Beispiel #1
0
def set_argparser():
    """Sets up and parses the command line arguments for Sigmac.
    Returns the argparser"""
    argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
    argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
    argparser.add_argument("--filter", "-f", help="""
    Define comma-separated filters that must match (AND-linked) to rule to be processed.
    Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t.
    x is one of: low, medium, high, critical.
    y is one of: experimental, testing, stable.
    z is a word appearing in an arbitrary log source attribute.
    t is a tag that must appear in the rules tag list, case-insensitive matching.
    Multiple log source specifications are AND linked.
            """)
    argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
    argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
    argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.")
    argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated")
    argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
    argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend")
    argparser.add_argument("--backend-help", action=ActionBackendHelp, help="Print backend options")
    argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
    argparser.add_argument("--ignore-backend-errors", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules that cause backend errors. Useful, when you want to get as much queries as possible.")
    argparser.add_argument("--shoot-yourself-in-the-foot", action="store_true", help=argparse.SUPPRESS)
    argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
    argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
    argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
    
    return argparser
Beispiel #2
0
def set_argparser():
    """Sets up and parses the command line arguments for Sigmac.
    Returns the argparser"""
    argparser = argparse.ArgumentParser(
        description="Convert Sigma rules into SIEM signatures.")
    argparser.add_argument(
        "--recurse",
        "-r",
        action="store_true",
        help=
        "Use directory as input (recurse into subdirectories is not implemented yet)"
    )
    argparser.add_argument("--filter",
                           "-f",
                           help="""
    Define comma-separated filters that must match (AND-linked) to rule to be processed.
    Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t, target=o.
    x is one of: low, medium, high, critical.
    y is one of: experimental, testing, stable.
    z is a word appearing in an arbitrary log source attribute.
    t is a tag that must appear in the rules tag list, case-insensitive matching.
    o is a target that must appear in the rules target list, case-insensitive matching.
    Multiple log source specifications are AND linked.
    Special filter:
    inlastday=X rule create or modified in the last X days period
    tlp=valid_tlp if rule have no tlp set to WHITE 
            """)
    argparser.add_argument("--target",
                           "-t",
                           choices=backends.getBackendDict().keys(),
                           help="Output target format")
    argparser.add_argument(
        "--lists",
        "-l",
        action="store_true",
        help="List available output target formats and configurations")
    argparser.add_argument(
        "--config",
        "-c",
        action="append",
        help=
        "Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts."
    )
    argparser.add_argument(
        "--output",
        "-o",
        default=None,
        help="Output file or filename prefix (if end with a '_','/' or '\\')")
    argparser.add_argument(
        "--output-fields",
        "-of",
        help=
        """Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). 
    Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value.
    available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags.
    This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """
    )
    argparser.add_argument(
        "--output-format",
        "-oF",
        choices=["json", "yaml"],
        help=
        "Use only if you want to have JSON or YAML output (default is raw text)"
    )
    argparser.add_argument(
        "--output-extention",
        "-e",
        default=None,
        help="Extension of Output file for filename prefix use")
    argparser.add_argument("--print0",
                           action="store_true",
                           help="Delimit results by NUL-character")
    argparser.add_argument(
        "--backend-option",
        "-O",
        action="append",
        help="Options and switches that are passed to the backend")
    argparser.add_argument(
        "--backend-config",
        "-C",
        help=
        "Configuration file (YAML format) containing options to pass to the backend"
    )
    argparser.add_argument("--backend-help",
                           action=ActionBackendHelp,
                           help="Print backend options")
    argparser.add_argument(
        "--defer-abort",
        "-d",
        action="store_true",
        help=
        "Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned"
    )
    argparser.add_argument(
        "--ignore-backend-errors",
        "-I",
        action="store_true",
        help=
        "Only return error codes for parse errors and ignore errors for rules that cause backend errors. Useful, when you want to get as much queries as possible."
    )
    argparser.add_argument("--shoot-yourself-in-the-foot",
                           action="store_true",
                           help=argparse.SUPPRESS)
    argparser.add_argument("--verbose",
                           "-v",
                           action="store_true",
                           help="Be verbose")
    argparser.add_argument("--debug",
                           "-D",
                           action="store_true",
                           help="Debugging output")
    argparser.add_argument("inputs",
                           nargs="*",
                           help="Sigma input files ('-' for stdin)")

    return argparser