def test_get_sigma_rule(self):
"""Test getting sigma rule from file"""
filepath = "./data/sigma/rules/lnx_susp_zmap.yml"
rule = sigma_util.get_sigma_rule(filepath)
self.assertIsNotNone(rule)
self.assertIn("zmap", rule.get("es_query"))
self.assertIn("b793", rule.get("id"))
# temp write a file with content
with open("./data/sigma/rules/temporary.yml", "w+",
encoding='utf-8') as f:
f.write(SIGMA_MOCK_RULE_TEST4)
self.assertNotEqual(0, os.stat(f.name).st_size)
self.assertIsNotNone(f)
rule_by_file = sigma_util.get_sigma_rule(f.name)
# Test that rule from file equals rule from text
rule_by_text = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_TEST4)
self.assertEqual(rule_by_file.get('id'), rule_by_text.get('id'))
self.assertEqual(rule_by_file.get('es_query'),
rule_by_text.get('es_query'))
# clean up
os.remove(f.name)
def test_get_sigma_rule(self):
"""Test getting sigma rule from file"""
filepath = './data/sigma/rules/lnx_susp_zenmap.yml'
rule = sigma_util.get_sigma_rule(filepath)
self.assertIsNotNone(rule)
self.assertIn('zmap', rule.get('es_query'))
self.assertIn('b793', rule.get('id'))
def run_verifier(rules_path, config_file_path):
"""Run an sigma parsing test on a dir and returns results from the run.
Args:
rules_path: the path to the rules.
config_file_path: the path to a config file that contains mapping data.
Raises:
IOError: if the path to either test or analyzer file does not exist
or if the analyzer module or class cannot be loaded.
Returns:
a tuple of lists:
- sigma_verified_rules with rules that can be added
- sigma_rules_with_problems with rules that should not be added
"""
if not config_file_path:
raise IOError('No config_file_path given')
if not os.path.isdir(rules_path):
raise IOError('Rules not found at path: {0:s}'.format(rules_path))
if not os.path.isfile(config_file_path):
raise IOError('Config file path not found at path: {0:s}'.format(
config_file_path))
sigma_config = sigma_util.get_sigma_config_file(
config_file=config_file_path)
return_verified_rules = []
return_rules_with_problems = []
for dirpath, dirnames, files in os.walk(rules_path):
if 'deprecated' in [x.lower() for x in dirnames]:
dirnames.remove('deprecated')
for rule_filename in files:
if rule_filename.lower().endswith('.yml'):
# if a sub dir is found, do not try to parse it.
if os.path.isdir(os.path.join(dirpath, rule_filename)):
continue
rule_file_path = os.path.join(dirpath, rule_filename)
parsed_rule = sigma_util.get_sigma_rule(
rule_file_path, sigma_config)
if parsed_rule:
return_verified_rules.append(rule_file_path)
else:
return_rules_with_problems.append(rule_file_path)
return return_verified_rules, return_rules_with_problems
def run_verifier(rules_path, config_file_path, rule_status_path=None):
"""Run an sigma parsing test on a dir and returns results from the run.
Args:
rules_path (str): Path to the Sigma rules.
config_file_path (str): Path to a config file with Sigma mapping data.
rule_status_path (str): Optional path to a status file.
The default value is none.
Raises:
IOError: if the path to either test or analyzer file does not exist
or if the analyzer module or class cannot be loaded.
Returns:
a tuple of lists:
- sigma_verified_rules with rules that can be added
- sigma_rules_with_problems with rules that should not be added
"""
if not config_file_path:
raise IOError("No config_file_path given")
if not os.path.isdir(rules_path):
raise IOError("Rules not found at path: {0:s}".format(rules_path))
if not os.path.isfile(config_file_path):
raise IOError("Config file path not found at path: {0:s}".format(
config_file_path))
sigma_config = sigma_util.get_sigma_config_file(
config_file=config_file_path)
return_verified_rules = []
return_rules_with_problems = []
ignore = get_sigma_rule_status(rule_status_path)
ignore_list = list(ignore["path"].unique())
for dirpath, dirnames, files in os.walk(rules_path):
if "deprecated" in [x.lower() for x in dirnames]:
dirnames.remove("deprecated")
for rule_filename in files:
if rule_filename.lower().endswith(".yml"):
# if a sub dir is found, do not try to parse it.
if os.path.isdir(os.path.join(dirpath, rule_filename)):
continue
rule_file_path = os.path.join(dirpath, rule_filename)
block_because_csv = False
if any(x in rule_file_path for x in ignore_list):
return_rules_with_problems.append(rule_file_path)
block_because_csv = True
if block_because_csv:
continue
try:
parsed_rule = sigma_util.get_sigma_rule(
rule_file_path, sigma_config)
print(parsed_rule)
# This except is to keep the unknown exceptions
# this function is made to catch them and document
# them the broad exception is needed
except Exception: # pylint: disable=broad-except
logger.debug("Rule parsing error", exc_info=True)
return_rules_with_problems.append(rule_file_path)
if parsed_rule:
return_verified_rules.append(rule_file_path)
else:
return_rules_with_problems.append(rule_file_path)
return return_verified_rules, return_rules_with_problems