def test_get_sigma_rule(self): """Test getting sigma rule from file""" filepath = "./data/sigma/rules/lnx_susp_zmap.yml" rule = sigma_util.get_sigma_rule(filepath) self.assertIsNotNone(rule) self.assertIn("zmap", rule.get("es_query")) self.assertIn("b793", rule.get("id")) # temp write a file with content with open("./data/sigma/rules/temporary.yml", "w+", encoding='utf-8') as f: f.write(SIGMA_MOCK_RULE_TEST4) self.assertNotEqual(0, os.stat(f.name).st_size) self.assertIsNotNone(f) rule_by_file = sigma_util.get_sigma_rule(f.name) # Test that rule from file equals rule from text rule_by_text = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_TEST4) self.assertEqual(rule_by_file.get('id'), rule_by_text.get('id')) self.assertEqual(rule_by_file.get('es_query'), rule_by_text.get('es_query')) # clean up os.remove(f.name)
def test_get_sigma_rule(self): """Test getting sigma rule from file""" filepath = './data/sigma/rules/lnx_susp_zenmap.yml' rule = sigma_util.get_sigma_rule(filepath) self.assertIsNotNone(rule) self.assertIn('zmap', rule.get('es_query')) self.assertIn('b793', rule.get('id'))
def run_verifier(rules_path, config_file_path): """Run an sigma parsing test on a dir and returns results from the run. Args: rules_path: the path to the rules. config_file_path: the path to a config file that contains mapping data. Raises: IOError: if the path to either test or analyzer file does not exist or if the analyzer module or class cannot be loaded. Returns: a tuple of lists: - sigma_verified_rules with rules that can be added - sigma_rules_with_problems with rules that should not be added """ if not config_file_path: raise IOError('No config_file_path given') if not os.path.isdir(rules_path): raise IOError('Rules not found at path: {0:s}'.format(rules_path)) if not os.path.isfile(config_file_path): raise IOError('Config file path not found at path: {0:s}'.format( config_file_path)) sigma_config = sigma_util.get_sigma_config_file( config_file=config_file_path) return_verified_rules = [] return_rules_with_problems = [] for dirpath, dirnames, files in os.walk(rules_path): if 'deprecated' in [x.lower() for x in dirnames]: dirnames.remove('deprecated') for rule_filename in files: if rule_filename.lower().endswith('.yml'): # if a sub dir is found, do not try to parse it. if os.path.isdir(os.path.join(dirpath, rule_filename)): continue rule_file_path = os.path.join(dirpath, rule_filename) parsed_rule = sigma_util.get_sigma_rule( rule_file_path, sigma_config) if parsed_rule: return_verified_rules.append(rule_file_path) else: return_rules_with_problems.append(rule_file_path) return return_verified_rules, return_rules_with_problems
def run_verifier(rules_path, config_file_path, rule_status_path=None): """Run an sigma parsing test on a dir and returns results from the run. Args: rules_path (str): Path to the Sigma rules. config_file_path (str): Path to a config file with Sigma mapping data. rule_status_path (str): Optional path to a status file. The default value is none. Raises: IOError: if the path to either test or analyzer file does not exist or if the analyzer module or class cannot be loaded. Returns: a tuple of lists: - sigma_verified_rules with rules that can be added - sigma_rules_with_problems with rules that should not be added """ if not config_file_path: raise IOError("No config_file_path given") if not os.path.isdir(rules_path): raise IOError("Rules not found at path: {0:s}".format(rules_path)) if not os.path.isfile(config_file_path): raise IOError("Config file path not found at path: {0:s}".format( config_file_path)) sigma_config = sigma_util.get_sigma_config_file( config_file=config_file_path) return_verified_rules = [] return_rules_with_problems = [] ignore = get_sigma_rule_status(rule_status_path) ignore_list = list(ignore["path"].unique()) for dirpath, dirnames, files in os.walk(rules_path): if "deprecated" in [x.lower() for x in dirnames]: dirnames.remove("deprecated") for rule_filename in files: if rule_filename.lower().endswith(".yml"): # if a sub dir is found, do not try to parse it. if os.path.isdir(os.path.join(dirpath, rule_filename)): continue rule_file_path = os.path.join(dirpath, rule_filename) block_because_csv = False if any(x in rule_file_path for x in ignore_list): return_rules_with_problems.append(rule_file_path) block_because_csv = True if block_because_csv: continue try: parsed_rule = sigma_util.get_sigma_rule( rule_file_path, sigma_config) print(parsed_rule) # This except is to keep the unknown exceptions # this function is made to catch them and document # them the broad exception is needed except Exception: # pylint: disable=broad-except logger.debug("Rule parsing error", exc_info=True) return_rules_with_problems.append(rule_file_path) if parsed_rule: return_verified_rules.append(rule_file_path) else: return_rules_with_problems.append(rule_file_path) return return_verified_rules, return_rules_with_problems