def get_sigma_query_conversion_result(sigma, sigma_venv, sigma_config, sigma_query_format, rule, sigma_extra_parameters): # if windows, execute these commands result = query = command = None try: # if windows machine if os.name == 'nt': logger.info('Windows powershell command shall be executed...') command = 'powershell -nop -c ". {1}\\Scripts\\activate.ps1; python {0}\\tools\\sigmac -c {2} -t {3} {5} {4};"'.format(sigma, sigma_venv, sigma_config, sigma_query_format, rule, sigma_extra_parameters) logger.debug(command) result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False) result_out = result.stdout.decode('utf-8') result_error = result.stderr.decode('utf-8') query = result_out.splitlines()[0] logger.debug(query) logger.error(result_error) # if linux machine else: logger.info('Linux shell shall be executed...') command = ". {1}/bin/activate; python {0}/tools/sigmac -c {2} -t {3} {5} {4};".format(sigma, sigma_venv, sigma_config, sigma_query_format, rule, sigma_extra_parameters) logger.debug('Command:') logger.debug(command) process = subprocess.Popen(get_slash_set_path(command), stdout=subprocess.PIPE, shell=True) proc_stdout = process.communicate()[0].strip().decode('utf-8') print(proc_stdout) query = proc_stdout.splitlines()[-1] logger.info(query) except Exception as e: logger.error('Exception {} occurred in get_sigma_query_conversion_result()...'.format(e)) return query
def install_rules(script_dir, credentials, rule_file, logger): # if windows, execute these commands curl_path = get_slash_set_path(script_dir + '/helpers/curl/curl.exe') logger.debug('Script Dir: {}'.format(curl_path)) logger.debug('Rule Output File: {}'.format(rule_file)) result = result_out = None query = None # if windows machine if os.name == 'nt': command = 'powershell -nop -c \"{} {};\"'.format(curl_path, "-X POST \"{}/api/detection_engine/rules/_import?overwrite=true\" -u '{}:{}' -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form 'file=@{}'".format(credentials.get('kibana_url'), credentials.get('kibana_username'), credentials.get('kibana_password'), rule_file)) logger.debug('Command: {}'.format(command)) logger.info('Windows powershell command shall be executed...') result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False) result_out = json.loads(result.stdout.decode('utf-8')) result_error = result.stderr.decode('utf-8') logger.debug(result_out) logger.error(result_error) # if linux machine else: command = """curl -X POST "{}/api/detection_engine/rules/_import?overwrite=true" -u '{}:{}' -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@{}" """.format(credentials.get('kibana_url'), credentials.get('kibana_username'), credentials.get('kibana_password'), rule_file) logger.debug('Command: {}'.format(command)) logger.info('Linux shell shall be executed...') process = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True) proc_stdout = process.communicate()[0].strip().decode('utf-8') print(proc_stdout) result_out = json.loads(proc_stdout) logger.debug(result_out) logger.info('Import Successful: {}...'.format(result_out.get('success'))) logger.info('Count Successfully Imported Rules: {}...'.format(result_out.get('success_count'))) logger.info('Import Errors: {}...'.format(result_out.get('errors'))) logger.info('Response Message: {}...'.format(result_out.get('message'))) logger.info('Response status code: {}...'.format(result_out.get('status_code'))) handle_response_errors(result_out.get('status_code'), result_out.get('message'), logger) return query
def get_notes(notes_folder, config_n, yj_rule_n, logger): ret = '' file_name = '' if type(config_n) == str and config_n != "": config_n = [config_n] config_n = [get_slash_set_path(i, logger) for i in config_n] if type(yj_rule_n) == str and yj_rule_n != "": yj_rule_n = [yj_rule_n] yj_rule_n = [get_slash_set_path(i, logger) for i in yj_rule_n] update_required = False try: if (not update_required ) and yj_rule_n and type(yj_rule_n) == list and len(yj_rule_n) > 0: file_name = yj_rule_n update_required = True logger.debug('File name set from rule...') elif (not update_required ) and config_n and type(config_n) == list and len(config_n) > 0: file_name = config_n update_required = True logger.debug('File name set from config...') else: logger.debug('File name not set...') if update_required: # add forward/back slash to end of folder name if notes_folder and len( notes_folder) > 0 and notes_folder[-1] != get_slashes(): notes_folder += get_slashes() # remove forward/back slash from start of file name if file_name and len(file_name) > 0 and type(file_name) == list: for i in file_name: if i[0] == get_slashes(): i = i[1:] with open(get_slash_set_path(notes_folder + i, logger)) as input_file: ret += input_file.read() ret += "\n" print(ret) except Exception as e: logger.error(f'Exception {e} occurred in get_notes()...') return ret logger.info(f'get_notes() finished successfully...') return ret
def get_sigma_query_conversion_result(sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters): # if windows, execute these commands result = query = command = None return_status = 0 try: # if windows machine if os.name == 'nt': logger.info('Windows powershell command shall be executed...') command = 'powershell -nop -c "cd {0};pipenv run python tools\\sigmac -c {1} -t {2} {4} {3};"'.format( sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters) # command = 'powershell -nop -c "pipenv run python {0}\\tools\\sigmac -c {1} -t {2} {4} {3};"'.format(sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters) logger.debug(command) result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False) result_out = result.stdout.decode('utf-8') result_error = result.stderr.decode('utf-8') # if error code var is not empty, then set return status to 1 if result.returncode != 0: return_status = 1 query = result_out.splitlines()[0] logger.debug(query) if return_status == 1: logger.error(result_error) # if linux machine else: logger.info('Linux shell shall be executed...') # command = "pipenv run python {0}/tools/sigmac -c {1} -t {2} {4} {3};".format(sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters) command = "cd {0};pipenv run python tools/sigmac -c {1} -t {2} {4} {3};".format( sigma, sigma_config, sigma_query_format, rule, sigma_extra_parameters) logger.debug('Command:') logger.debug(command) process = subprocess.Popen(get_slash_set_path(command, logger), stdout=subprocess.PIPE, shell=True) proc_stdout = process.communicate()[0].strip().decode('utf-8') result_error = process.returncode # if error code var is not empty, then set return status to 1 if result_error != 0: return_status = 1 logger.info(proc_stdout) query = proc_stdout.splitlines()[-1] logger.info(query) except Exception as e: logger.error( 'Exception {} occurred in get_sigma_query_conversion_result()...'. format(e)) return_status = 1 return return_status, query
def check_rules_compliance(rules, return_status): rules_are_compliant = True result_out = None result_error = None result = None logger.info('Following command shall be executed...') # command = 'pipenv run python {2}{0}helpers{0}check_if_compliant.py -p {2}{1}'.format(get_slashes(), rules, os.path.abspath(os.getcwd())) # command = 'pipenv run python helpers{0}check_if_compliant.py -p {1}'.format(get_slashes(), rules, os.path.abspath(os.getcwd())) # if windows machine if os.name == 'nt': command = 'pipenv run python helpers{0}check_if_compliant.py -p {1}'.format( get_slashes(), rules, os.path.abspath(os.getcwd())) logger.debug('Command:') logger.debug(command) result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False) result_out = result.stdout.decode('utf-8') result_error = result.stderr.decode('utf-8') # for i in result_out.splitlines(): # logger.error(i) # if error code var is not empty, then set return status to 1 # if linux machine else: logger.info('Linux shell shall be executed...') command = 'pipenv run python helpers{0}check_if_compliant.py -p {1}'.format( get_slashes(), rules, os.path.abspath(os.getcwd())) logger.debug('Command:') logger.debug(command) result = subprocess.Popen(get_slash_set_path(command, logger), stdout=subprocess.PIPE, shell=True) result_out = result.communicate()[0].strip().decode('utf-8') # result_error = process.returncode # if error code var is not empty, then set return status to 1 # if result_error != 0: return_status = 1 # print(proc_stdout) # query = proc_stdout.splitlines()[-1] # logger.info(query) for i in result_out.splitlines(): logger.error(i) if result.returncode != 0: rules_are_compliant = False return_status = 1 return return_status, rules_are_compliant