def get_sigma_query_conversion_result(sigma, sigma_venv, sigma_config, sigma_query_format, rule, sigma_extra_parameters):
# if windows, execute these commands
result = query = command = None
try:
# if windows machine
if os.name == 'nt':
logger.info('Windows powershell command shall be executed...')
command = 'powershell -nop -c ". {1}\\Scripts\\activate.ps1; python {0}\\tools\\sigmac -c {2} -t {3} {5} {4};"'.format(sigma, sigma_venv, sigma_config, sigma_query_format, rule, sigma_extra_parameters)
logger.debug(command)
result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
result_out = result.stdout.decode('utf-8')
result_error = result.stderr.decode('utf-8')
query = result_out.splitlines()[0]
logger.debug(query)
logger.error(result_error)
# if linux machine
else:
logger.info('Linux shell shall be executed...')
command = ". {1}/bin/activate; python {0}/tools/sigmac -c {2} -t {3} {5} {4};".format(sigma, sigma_venv, sigma_config, sigma_query_format, rule, sigma_extra_parameters)
logger.debug('Command:')
logger.debug(command)
process = subprocess.Popen(get_slash_set_path(command), stdout=subprocess.PIPE, shell=True)
proc_stdout = process.communicate()[0].strip().decode('utf-8')
print(proc_stdout)
query = proc_stdout.splitlines()[-1]
logger.info(query)
except Exception as e:
logger.error('Exception {} occurred in get_sigma_query_conversion_result()...'.format(e))
return query
def install_rules(script_dir, credentials, rule_file, logger):
# if windows, execute these commands
curl_path = get_slash_set_path(script_dir + '/helpers/curl/curl.exe')
logger.debug('Script Dir: {}'.format(curl_path))
logger.debug('Rule Output File: {}'.format(rule_file))
result = result_out = None
query = None
# if windows machine
if os.name == 'nt':
command = 'powershell -nop -c \"{} {};\"'.format(curl_path, "-X POST \"{}/api/detection_engine/rules/_import?overwrite=true\" -u '{}:{}' -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form 'file=@{}'".format(credentials.get('kibana_url'), credentials.get('kibana_username'), credentials.get('kibana_password'), rule_file))
logger.debug('Command: {}'.format(command))
logger.info('Windows powershell command shall be executed...')
result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
result_out = json.loads(result.stdout.decode('utf-8'))
result_error = result.stderr.decode('utf-8')
logger.debug(result_out)
logger.error(result_error)
# if linux machine
else:
command = """curl -X POST "{}/api/detection_engine/rules/_import?overwrite=true" -u '{}:{}' -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@{}" """.format(credentials.get('kibana_url'), credentials.get('kibana_username'), credentials.get('kibana_password'), rule_file)
logger.debug('Command: {}'.format(command))
logger.info('Linux shell shall be executed...')
process = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
proc_stdout = process.communicate()[0].strip().decode('utf-8')
print(proc_stdout)
result_out = json.loads(proc_stdout)
logger.debug(result_out)
logger.info('Import Successful: {}...'.format(result_out.get('success')))
logger.info('Count Successfully Imported Rules: {}...'.format(result_out.get('success_count')))
logger.info('Import Errors: {}...'.format(result_out.get('errors')))
logger.info('Response Message: {}...'.format(result_out.get('message')))
logger.info('Response status code: {}...'.format(result_out.get('status_code')))
handle_response_errors(result_out.get('status_code'), result_out.get('message'), logger)
return query
def get_notes(notes_folder, config_n, yj_rule_n, logger):
ret = ''
file_name = ''
if type(config_n) == str and config_n != "":
config_n = [config_n]
config_n = [get_slash_set_path(i, logger) for i in config_n]
if type(yj_rule_n) == str and yj_rule_n != "":
yj_rule_n = [yj_rule_n]
yj_rule_n = [get_slash_set_path(i, logger) for i in yj_rule_n]
update_required = False
try:
if (not update_required
) and yj_rule_n and type(yj_rule_n) == list and len(yj_rule_n) > 0:
file_name = yj_rule_n
update_required = True
logger.debug('File name set from rule...')
elif (not update_required
) and config_n and type(config_n) == list and len(config_n) > 0:
file_name = config_n
update_required = True
logger.debug('File name set from config...')
else:
logger.debug('File name not set...')
if update_required:
# add forward/back slash to end of folder name
if notes_folder and len(
notes_folder) > 0 and notes_folder[-1] != get_slashes():
notes_folder += get_slashes()
# remove forward/back slash from start of file name
if file_name and len(file_name) > 0 and type(file_name) == list:
for i in file_name:
if i[0] == get_slashes(): i = i[1:]
with open(get_slash_set_path(notes_folder + i,
logger)) as input_file:
ret += input_file.read()
ret += "\n"
print(ret)
except Exception as e:
logger.error(f'Exception {e} occurred in get_notes()...')
return ret
logger.info(f'get_notes() finished successfully...')
return ret
def get_sigma_query_conversion_result(sigma, sigma_config, sigma_query_format,
rule, sigma_extra_parameters):
# if windows, execute these commands
result = query = command = None
return_status = 0
try:
# if windows machine
if os.name == 'nt':
logger.info('Windows powershell command shall be executed...')
command = 'powershell -nop -c "cd {0};pipenv run python tools\\sigmac -c {1} -t {2} {4} {3};"'.format(
sigma, sigma_config, sigma_query_format, rule,
sigma_extra_parameters)
# command = 'powershell -nop -c "pipenv run python {0}\\tools\\sigmac -c {1} -t {2} {4} {3};"'.format(sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters)
logger.debug(command)
result = subprocess.run(command,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=False)
result_out = result.stdout.decode('utf-8')
result_error = result.stderr.decode('utf-8')
# if error code var is not empty, then set return status to 1
if result.returncode != 0: return_status = 1
query = result_out.splitlines()[0]
logger.debug(query)
if return_status == 1:
logger.error(result_error)
# if linux machine
else:
logger.info('Linux shell shall be executed...')
# command = "pipenv run python {0}/tools/sigmac -c {1} -t {2} {4} {3};".format(sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters)
command = "cd {0};pipenv run python tools/sigmac -c {1} -t {2} {4} {3};".format(
sigma, sigma_config, sigma_query_format, rule,
sigma_extra_parameters)
logger.debug('Command:')
logger.debug(command)
process = subprocess.Popen(get_slash_set_path(command, logger),
stdout=subprocess.PIPE,
shell=True)
proc_stdout = process.communicate()[0].strip().decode('utf-8')
result_error = process.returncode
# if error code var is not empty, then set return status to 1
if result_error != 0: return_status = 1
logger.info(proc_stdout)
query = proc_stdout.splitlines()[-1]
logger.info(query)
except Exception as e:
logger.error(
'Exception {} occurred in get_sigma_query_conversion_result()...'.
format(e))
return_status = 1
return return_status, query
def check_rules_compliance(rules, return_status):
rules_are_compliant = True
result_out = None
result_error = None
result = None
logger.info('Following command shall be executed...')
# command = 'pipenv run python {2}{0}helpers{0}check_if_compliant.py -p {2}{1}'.format(get_slashes(), rules, os.path.abspath(os.getcwd()))
# command = 'pipenv run python helpers{0}check_if_compliant.py -p {1}'.format(get_slashes(), rules, os.path.abspath(os.getcwd()))
# if windows machine
if os.name == 'nt':
command = 'pipenv run python helpers{0}check_if_compliant.py -p {1}'.format(
get_slashes(), rules, os.path.abspath(os.getcwd()))
logger.debug('Command:')
logger.debug(command)
result = subprocess.run(command,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=False)
result_out = result.stdout.decode('utf-8')
result_error = result.stderr.decode('utf-8')
# for i in result_out.splitlines():
# logger.error(i)
# if error code var is not empty, then set return status to 1
# if linux machine
else:
logger.info('Linux shell shall be executed...')
command = 'pipenv run python helpers{0}check_if_compliant.py -p {1}'.format(
get_slashes(), rules, os.path.abspath(os.getcwd()))
logger.debug('Command:')
logger.debug(command)
result = subprocess.Popen(get_slash_set_path(command, logger),
stdout=subprocess.PIPE,
shell=True)
result_out = result.communicate()[0].strip().decode('utf-8')
# result_error = process.returncode
# if error code var is not empty, then set return status to 1
# if result_error != 0: return_status = 1
# print(proc_stdout)
# query = proc_stdout.splitlines()[-1]
# logger.info(query)
for i in result_out.splitlines():
logger.error(i)
if result.returncode != 0:
rules_are_compliant = False
return_status = 1
return return_status, rules_are_compliant
