def get_sigma_config_file():
"""Get a sigma.configuration.SigmaConfiguration object.
Returns:
A sigma.configuration.SigmaConfiguration object
Raises:
ValueError: If SIGMA_CONFIG is not found in the config file.
or the Sigma config file is not readabale.
"""
config_file = current_app.config.get('SIGMA_CONFIG')
if not config_file:
raise ValueError(
'SIGMA_CONFIG not found in config file')
if not os.path.isfile(config_file):
raise ValueError(
'Unable to open file: [{0:s}], it does not exist.'.format(
config_file))
if not os.access(config_file, os.R_OK):
raise ValueError(
'Unable to open file: [{0:s}], cannot open it for '
'read, please check permissions.'.format(config_file))
with open(config_file, 'r') as config_file:
sigma_config_file = config_file.read()
sigma_config = sigma_configuration.SigmaConfiguration(sigma_config_file)
return sigma_config
def run_verifier(rules_path, config_file_path):
"""Run an sigma parsing test on a dir and returns results from the run.
Args:
rules_path: the path to the rules.
config_file_path: the path to a config file that contains mapping data.
Raises:
IOError: if the path to either test or analyzer file does not exist
or if the analyzer module or class cannot be loaded.
Returns:
a tuple of lists:
- sigma_verified_rules with rules that can be added
- sigma_rules_with_problems with rules that should not be added
"""
if not os.path.isdir(rules_path):
raise IOError('Rules not found at path: {0:s}'.format(rules_path))
if not os.path.isfile(config_file_path):
raise IOError('Config file path not found at path: {0:s}'.format(
config_file_path))
sigma_config_path = config_file_path
with open(sigma_config_path, 'r') as sigma_config_file:
sigma_config_con = sigma_config_file.read()
sigma_config = sigma_configuration.SigmaConfiguration(sigma_config_con)
backend = sigma_elasticsearch.ElasticsearchQuerystringBackend(
sigma_config, {})
return_verified_rules = []
return_rules_with_problems = []
for dirpath, dirnames, files in os.walk(rules_path):
if 'deprecated' in [x.lower() for x in dirnames]:
dirnames.remove('deprecated')
logger.info('deprecated in folder / filename found - ignored')
for rule_filename in files:
if not rule_filename.lower().endswith(RULE_EXTENSIONS):
continue
# If a sub dir is found, skip it
if os.path.isdir(os.path.join(rules_path, rule_filename)):
logger.debug(
'Directory found, skipping: {0:s}'.format(rule_filename))
continue
rule_file_path = os.path.join(dirpath, rule_filename)
rule_file_path = os.path.abspath(rule_file_path)
if verify_rules_file(rule_file_path, sigma_config, backend):
return_verified_rules.append(rule_file_path)
else:
logger.info('File did not work{0:s}'.format(rule_file_path))
return_rules_with_problems.append(rule_file_path)
return return_verified_rules, return_rules_with_problems
def __init__(self, index_name, sketch_id):
"""Initialize the Index Analyzer.
Args:
index_name: Elasticsearch index name.
sketch_id: Sketch ID.
"""
super(SigmaPlugin, self).__init__(index_name, sketch_id)
sigma_config_path = interface.get_config_path(self._CONFIG_FILE)
logger.debug('[sigma] Loading config from {0!s}'.format(
sigma_config_path))
with open(sigma_config_path, 'r') as sigma_config_file:
sigma_config = sigma_config_file.read()
self.sigma_config = sigma_configuration.SigmaConfiguration(sigma_config)
def get_sigma_config_file(config_file=None):
"""Get a sigma.configuration.SigmaConfiguration object.
Args:
config_file: Optional path to a config file
Returns:
A sigma.configuration.SigmaConfiguration object
Raises:
ValueError: If SIGMA_CONFIG is not found in the config file.
or the Sigma config file is not readabale.
SigmaConfigParseError: If config file could not be parsed.
"""
if config_file:
config_file_path = config_file
else:
config_file_path = current_app.config.get(
"SIGMA_CONFIG", "./data/sigma_config.yaml"
)
if not config_file_path:
raise ValueError("No config_file_path set via param or config file")
if not os.path.isfile(config_file_path):
raise ValueError(
"Unable to open: [{0:s}], does not exist.".format(config_file_path)
)
if not os.access(config_file_path, os.R_OK):
raise ValueError(
"Unable to open file: [{0:s}], cannot open it for "
"read, please check permissions.".format(config_file_path)
)
with open(config_file_path, "r", encoding="utf-8") as config_file_read:
sigma_config_file = config_file_read.read()
try:
sigma_config = sigma_configuration.SigmaConfiguration(
sigma_config_file
)
except SigmaConfigParseError:
logger.error("Parsing error with {0:s}".format(sigma_config_file))
raise
return sigma_config
