def test_get_rule_status_file(self):
"""Test getting sigma config file"""
self.assertRaises(ValueError, sigma_util.get_sigma_rule_status_list,
"/foo")
self.assertIsNotNone(sigma_util.get_sigma_config_file())
statuslist = sigma_util.get_sigma_rule_status_list()
# self.assertIn(
# 'exploratory',
# blocklist[
# (
# blocklist['rule_id']
# == 'fdf135a2-9241-4f96-a114-bb404948f736'
# )
# ]['status'].to_string,
# )
self.assertEqual(
'bad',
statuslist[statuslist.values == 'deprecated']['status'].all(),
)
self.assertEqual(
'good',
statuslist[statuslist.values ==
'windows/powershell/powershell_create_local_user.yml']
['status'].all(),
)
self.assertIsNotNone(False)
def run_verifier(rules_path, config_file_path):
"""Run an sigma parsing test on a dir and returns results from the run.
Args:
rules_path: the path to the rules.
config_file_path: the path to a config file that contains mapping data.
Raises:
IOError: if the path to either test or analyzer file does not exist
or if the analyzer module or class cannot be loaded.
Returns:
a tuple of lists:
- sigma_verified_rules with rules that can be added
- sigma_rules_with_problems with rules that should not be added
"""
if not config_file_path:
raise IOError('No config_file_path given')
if not os.path.isdir(rules_path):
raise IOError('Rules not found at path: {0:s}'.format(rules_path))
if not os.path.isfile(config_file_path):
raise IOError('Config file path not found at path: {0:s}'.format(
config_file_path))
sigma_config = sigma_util.get_sigma_config_file(
config_file=config_file_path)
return_verified_rules = []
return_rules_with_problems = []
for dirpath, dirnames, files in os.walk(rules_path):
if 'deprecated' in [x.lower() for x in dirnames]:
dirnames.remove('deprecated')
for rule_filename in files:
if rule_filename.lower().endswith('.yml'):
# if a sub dir is found, do not try to parse it.
if os.path.isdir(os.path.join(dirpath, rule_filename)):
continue
rule_file_path = os.path.join(dirpath, rule_filename)
parsed_rule = sigma_util.get_sigma_rule(
rule_file_path, sigma_config)
if parsed_rule:
return_verified_rules.append(rule_file_path)
else:
return_rules_with_problems.append(rule_file_path)
return return_verified_rules, return_rules_with_problems
def run_verifier(rules_path, config_file_path, rule_status_path=None):
"""Run an sigma parsing test on a dir and returns results from the run.
Args:
rules_path (str): Path to the Sigma rules.
config_file_path (str): Path to a config file with Sigma mapping data.
rule_status_path (str): Optional path to a status file.
The default value is none.
Raises:
IOError: if the path to either test or analyzer file does not exist
or if the analyzer module or class cannot be loaded.
Returns:
a tuple of lists:
- sigma_verified_rules with rules that can be added
- sigma_rules_with_problems with rules that should not be added
"""
if not config_file_path:
raise IOError("No config_file_path given")
if not os.path.isdir(rules_path):
raise IOError("Rules not found at path: {0:s}".format(rules_path))
if not os.path.isfile(config_file_path):
raise IOError("Config file path not found at path: {0:s}".format(
config_file_path))
sigma_config = sigma_util.get_sigma_config_file(
config_file=config_file_path)
return_verified_rules = []
return_rules_with_problems = []
ignore = get_sigma_rule_status(rule_status_path)
ignore_list = list(ignore["path"].unique())
for dirpath, dirnames, files in os.walk(rules_path):
if "deprecated" in [x.lower() for x in dirnames]:
dirnames.remove("deprecated")
for rule_filename in files:
if rule_filename.lower().endswith(".yml"):
# if a sub dir is found, do not try to parse it.
if os.path.isdir(os.path.join(dirpath, rule_filename)):
continue
rule_file_path = os.path.join(dirpath, rule_filename)
block_because_csv = False
if any(x in rule_file_path for x in ignore_list):
return_rules_with_problems.append(rule_file_path)
block_because_csv = True
if block_because_csv:
continue
try:
parsed_rule = sigma_util.get_sigma_rule(
rule_file_path, sigma_config)
print(parsed_rule)
# This except is to keep the unknown exceptions
# this function is made to catch them and document
# them the broad exception is needed
except Exception: # pylint: disable=broad-except
logger.debug("Rule parsing error", exc_info=True)
return_rules_with_problems.append(rule_file_path)
if parsed_rule:
return_verified_rules.append(rule_file_path)
else:
return_rules_with_problems.append(rule_file_path)
return return_verified_rules, return_rules_with_problems
def test_get_sigma_config_file(self):
"""Test getting sigma config file"""
self.assertRaises(ValueError, sigma_util.get_sigma_config_file, '/foo')
self.assertIsNotNone(sigma_util.get_sigma_config_file())
def test_get_sigma_config_file(self):
"""Test getting sigma config file"""
with self.assertRaises(ValueError):
sigma_util.get_sigma_config_file("/foo")
self.assertIsNotNone(sigma_util.get_sigma_config_file())