def get_sigma_config_file(): """Get a sigma.configuration.SigmaConfiguration object. Returns: A sigma.configuration.SigmaConfiguration object Raises: ValueError: If SIGMA_CONFIG is not found in the config file. or the Sigma config file is not readabale. """ config_file = current_app.config.get('SIGMA_CONFIG') if not config_file: raise ValueError( 'SIGMA_CONFIG not found in config file') if not os.path.isfile(config_file): raise ValueError( 'Unable to open file: [{0:s}], it does not exist.'.format( config_file)) if not os.access(config_file, os.R_OK): raise ValueError( 'Unable to open file: [{0:s}], cannot open it for ' 'read, please check permissions.'.format(config_file)) with open(config_file, 'r') as config_file: sigma_config_file = config_file.read() sigma_config = sigma_configuration.SigmaConfiguration(sigma_config_file) return sigma_config
def run_verifier(rules_path, config_file_path): """Run an sigma parsing test on a dir and returns results from the run. Args: rules_path: the path to the rules. config_file_path: the path to a config file that contains mapping data. Raises: IOError: if the path to either test or analyzer file does not exist or if the analyzer module or class cannot be loaded. Returns: a tuple of lists: - sigma_verified_rules with rules that can be added - sigma_rules_with_problems with rules that should not be added """ if not os.path.isdir(rules_path): raise IOError('Rules not found at path: {0:s}'.format(rules_path)) if not os.path.isfile(config_file_path): raise IOError('Config file path not found at path: {0:s}'.format( config_file_path)) sigma_config_path = config_file_path with open(sigma_config_path, 'r') as sigma_config_file: sigma_config_con = sigma_config_file.read() sigma_config = sigma_configuration.SigmaConfiguration(sigma_config_con) backend = sigma_elasticsearch.ElasticsearchQuerystringBackend( sigma_config, {}) return_verified_rules = [] return_rules_with_problems = [] for dirpath, dirnames, files in os.walk(rules_path): if 'deprecated' in [x.lower() for x in dirnames]: dirnames.remove('deprecated') logger.info('deprecated in folder / filename found - ignored') for rule_filename in files: if not rule_filename.lower().endswith(RULE_EXTENSIONS): continue # If a sub dir is found, skip it if os.path.isdir(os.path.join(rules_path, rule_filename)): logger.debug( 'Directory found, skipping: {0:s}'.format(rule_filename)) continue rule_file_path = os.path.join(dirpath, rule_filename) rule_file_path = os.path.abspath(rule_file_path) if verify_rules_file(rule_file_path, sigma_config, backend): return_verified_rules.append(rule_file_path) else: logger.info('File did not work{0:s}'.format(rule_file_path)) return_rules_with_problems.append(rule_file_path) return return_verified_rules, return_rules_with_problems
def __init__(self, index_name, sketch_id): """Initialize the Index Analyzer. Args: index_name: Elasticsearch index name. sketch_id: Sketch ID. """ super(SigmaPlugin, self).__init__(index_name, sketch_id) sigma_config_path = interface.get_config_path(self._CONFIG_FILE) logger.debug('[sigma] Loading config from {0!s}'.format( sigma_config_path)) with open(sigma_config_path, 'r') as sigma_config_file: sigma_config = sigma_config_file.read() self.sigma_config = sigma_configuration.SigmaConfiguration(sigma_config)
def get_sigma_config_file(config_file=None): """Get a sigma.configuration.SigmaConfiguration object. Args: config_file: Optional path to a config file Returns: A sigma.configuration.SigmaConfiguration object Raises: ValueError: If SIGMA_CONFIG is not found in the config file. or the Sigma config file is not readabale. SigmaConfigParseError: If config file could not be parsed. """ if config_file: config_file_path = config_file else: config_file_path = current_app.config.get( "SIGMA_CONFIG", "./data/sigma_config.yaml" ) if not config_file_path: raise ValueError("No config_file_path set via param or config file") if not os.path.isfile(config_file_path): raise ValueError( "Unable to open: [{0:s}], does not exist.".format(config_file_path) ) if not os.access(config_file_path, os.R_OK): raise ValueError( "Unable to open file: [{0:s}], cannot open it for " "read, please check permissions.".format(config_file_path) ) with open(config_file_path, "r", encoding="utf-8") as config_file_read: sigma_config_file = config_file_read.read() try: sigma_config = sigma_configuration.SigmaConfiguration( sigma_config_file ) except SigmaConfigParseError: logger.error("Parsing error with {0:s}".format(sigma_config_file)) raise return sigma_config