NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commitc6cbbe7

authored

Merge pull request#6 from UncoderIO/logsource-and-value-parsing-fixes

elastic and opensearch regex fixes, sigma source mapping fix

2 parents06c84ff +ecf3fdf commitc6cbbe7Copy full SHA for c6cbbe7

File tree

5 files changed

+21

-12

lines changed

siem-converter/app/converter/backends
- elasticsearch
  - parsers
    - elasticsearch.py
  - tokenizer.py
- opensearch
  - parsers
    - opensearch.py
  - tokenizer.py
- sigma/renders
  - sigma.py

5 files changed

+21

-12

lines changed

`‎siem-converter/app/converter/backends/elasticsearch/parsers/elasticsearch.py‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,15 +32,16 @@ class ElasticSearchParser(Parser):`
`32`	`32`	`mappings:ElasticSearchMappings=elasticsearch_mappings`
`33`	`33`	`tokenizer=ElasticSearchTokenizer()`
`34`	`34`
`35`		`-log_source_pattern=r"___source_type___\s(:\|=)\s(?:\"?(?P<d_q_value>[%a-zA-Z_:0-9\-/]+)\"\|(?P<value>[%a-zA-Z_:0-9\-/]+))(?:\s+(?:and\|or)\s+\|\s+)?"`
	`35`	`+log_source_pattern=r"___source_type___\s(?:[:=])\s(?:\"?(?P<d_q_value>[%a-zA-Z_:0-9\-/]+)\"\|(?P<value>[%a-zA-Z_:0-9\-/]+))(?:\s+(?:and\|or)\s+\|\s+)?"`
`36`	`36`	`log_source_key_types= ("index","event\.category")`
`37`	`37`
`38`	`38`	`def_parse_log_sources(self,query:str)->Tuple[str,Dict[str,List[str]]]:`
`39`	`39`	`log_sources= {}`
`40`	`40`	`forsource_typeinself.log_source_key_types:`
`41`	`41`	`pattern=self.log_source_pattern.replace('___source_type___',source_type)`
`42`	`42`	`whilesearch:=re.search(pattern,query,flags=re.IGNORECASE):`
`43`		`-value=search.group(1)`
	`43`	`+group_dict=search.groupdict()`
	`44`	`+value=group_dict.get("d_q_value")orgroup_dict.get("value")`
`44`	`45`	`log_sources.setdefault(source_type, []).append(value)`
`45`	`46`	`pos_start=search.start()`
`46`	`47`	`pos_end=search.end()`

`‎siem-converter/app/converter/backends/elasticsearch/tokenizer.py‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,13 +32,13 @@ class ElasticSearchTokenizer(QueryTokenizer):`
`32`	`32`	`match_operator_pattern=r"(?:___field___\s(?P<match_operator>:))\s"`
`33`	`33`
`34`	`34`	`num_value_pattern=r"(?P<num_value>\d+(?:\.\d+))\s"`
`35`		`-double_quotes_value_pattern=r'"(?P<d_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\'\.$&^@!\{\}\s]\|\\\"\|\\)+)"\s'`
	`35`	`+double_quotes_value_pattern=r'"(?P<d_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\'\.$&^@!\{\}\s]\|\\\"\|\\))"\s*'`
`36`	`36`	`no_quotes_value_pattern=r"(?P<n_q_value>(?:[a-zA-Z\0-9=%#_/,\'\.$@]\|\\\"\|\\\\)+)\s"`
`37`	`37`	`re_value_pattern=r"/(?P<re_value>[:a-zA-Z\0-9=+%#\\\-_\,\"\'\.$&^@!\{\}\[\]\s?]+)/\s"`
`38`	`38`	`_value_pattern=fr"{num_value_pattern}\|{re_value_pattern}\|{no_quotes_value_pattern}\|{double_quotes_value_pattern}"`
`39`	`39`	`keyword_pattern=r"(?P<n_q_value>(?:[a-zA-Z\*0-9=%#_/,\'\.$@]\|\\\"\|\\$\|\\$\|\\\[\|\\\]\|\\\{\|\\\}\|\\\:\|\\)+)(?:\s+\|\)\|$)"`
`40`	`40`
`41`		`-multi_value_pattern=r"""$(?P<value>[:a-zA-Z\"\0-9=+%#\-_\/\\'\,.&^@!\(\[\]\s])$"""`
	`41`	`+multi_value_pattern=r"""$(?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\[\]\s]+)$"""`
`42`	`42`	`multi_value_check_pattern=r"___field___\s___operator___\s\("`
`43`	`43`
`44`	`44`	`wildcard_symbol="*"`

`‎siem-converter/app/converter/backends/opensearch/parsers/opensearch.py‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,15 +32,16 @@ class OpenSearchParser(Parser):`
`32`	`32`	`mappings:OpenSearchMappings=opensearch_mappings`
`33`	`33`	`tokenizer=OpenSearchTokenizer()`
`34`	`34`
`35`		`-log_source_pattern=r"___source_type___\s(:\|=)\s(?:\"?(?P<d_q_value>[%a-zA-Z_:0-9\-/]+)\"\|(?P<value>[%a-zA-Z_:0-9\-/]+))(?:\s+(?:and\|or)\s+\|\s+)?"`
	`35`	`+log_source_pattern=r"___source_type___\s(?:[:=])\s(?:\"?(?P<d_q_value>[%a-zA-Z_:0-9\-/]+)\"\|(?P<value>[%a-zA-Z_:0-9\-/]+))(?:\s+(?:and\|or)\s+\|\s+)?"`
`36`	`36`	`log_source_key_types= ("index","event\.category")`
`37`	`37`
`38`	`38`	`def_parse_log_sources(self,query:str)->Tuple[str,Dict[str,List[str]]]:`
`39`	`39`	`log_sources= {}`
`40`	`40`	`forsource_typeinself.log_source_key_types:`
`41`	`41`	`pattern=self.log_source_pattern.replace('___source_type___',source_type)`
`42`	`42`	`whilesearch:=re.search(pattern,query,flags=re.IGNORECASE):`
`43`		`-value=search.group(1)`
	`43`	`+group_dict=search.groupdict()`
	`44`	`+value=group_dict.get("d_q_value")orgroup_dict.get("value")`
`44`	`45`	`log_sources.setdefault(source_type, []).append(value)`
`45`	`46`	`pos_start=search.start()`
`46`	`47`	`pos_end=search.end()`

`‎siem-converter/app/converter/backends/opensearch/tokenizer.py‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,13 +32,13 @@ class OpenSearchTokenizer(QueryTokenizer):`
`32`	`32`	`match_operator_pattern=r"(?:___field___\s(?P<match_operator>:))\s"`
`33`	`33`
`34`	`34`	`num_value_pattern=r"(?P<num_value>\d+(?:\.\d+))\s"`
`35`		`-double_quotes_value_pattern=r'"(?P<d_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\'\.$&^@!\{\}\s]\|\\\"\|\\)+)"\s'`
	`35`	`+double_quotes_value_pattern=r'"(?P<d_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\'\.$&^@!\{\}\s]\|\\\"\|\\))"\s*'`
`36`	`36`	`no_quotes_value_pattern=r"(?P<n_q_value>(?:[a-zA-Z\0-9=%#_/,\'\.$@]\|\\\"\|\\\\)+)\s"`
`37`	`37`	`re_value_pattern=r"/(?P<re_value>[:a-zA-Z\0-9=+%#\\\-_\,\"\'\.$&^@!\{\}\[\]\s?]+)/\s"`
`38`	`38`	`_value_pattern=fr"{num_value_pattern}\|{re_value_pattern}\|{no_quotes_value_pattern}\|{double_quotes_value_pattern}"`
`39`	`39`	`keyword_pattern=r"(?P<n_q_value>(?:[a-zA-Z\*0-9=%#_/,\'\.$@]\|\\\"\|\\$\|\\$\|\\\[\|\\\]\|\\\{\|\\\}\|\\\:\|\\)+)(?:\s+\|\)\|$)"`
`40`	`40`
`41`		`-multi_value_pattern=r"""$(?P<value>[:a-zA-Z\"\0-9=+%#\-_\/\\'\,.&^@!\(\[\]\s])$"""`
	`41`	`+multi_value_pattern=r"""$(?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\[\]\s]+)$"""`
`42`	`42`	`multi_value_check_pattern=r"___field___\s___operator___\s\("`
`43`	`43`
`44`	`44`	`wildcard_symbol="*"`

`‎siem-converter/app/converter/backends/sigma/renders/sigma.py‎`

Lines changed: 11 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,15 +17,15 @@`
`17`	`17`	`"""`
`18`	`18`
`19`	`19`	`importcopy`
`20`		`-fromtypingimportAny`
	`20`	`+fromtypingimportAny,List`
`21`	`21`
`22`	`22`	`importyaml`
`23`	`23`
`24`	`24`	`fromapp.converter.backends.sigma.constimportSIGMA_RULE_DETAILS`
`25`	`25`	`fromapp.converter.backends.sigma.mappingimportSigmaMappings,sigma_mappings,SigmaLogSourceSignature`
`26`	`26`	`fromapp.converter.core.compilerimportDataStructureCompiler`
`27`	`27`	`fromapp.converter.core.exceptions.coreimportStrictPlatformFieldException`
`28`		`-fromapp.converter.core.mappingimportSourceMapping`
	`28`	`+fromapp.converter.core.mappingimportSourceMapping,DEFAULT_MAPPING_NAME`
`29`	`29`	`fromapp.converter.core.models.fieldimportField,Keyword`
`30`	`30`	`fromapp.converter.core.models.functions.typesimportParsedFunctions`
`31`	`31`	`fromapp.converter.core.models.groupimportGroup`
`@@ -229,11 +229,18 @@ def generate_detection(self, data: Any, source_mapping: SourceMapping) -> dict:`
`229`	`229`	`self.reset_counters()`
`230`	`230`
`231`	`231`	`returndetection`
	`232`	`+`
	`233`	`+def__get_source_mapping(self,source_mapping_ids:List[str])->SourceMapping:`
	`234`	`+forsource_mapping_idinsource_mapping_ids:`
	`235`	`+ifsource_mapping:=self.mappings.get_source_mapping(source_mapping_id):`
	`236`	`+returnsource_mapping`
	`237`	`+`
	`238`	`+returnself.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)`
`232`	`239`
`233`	`240`	`defgenerate(self,query,meta_info:MetaInfoContainer,functions:ParsedFunctions):`
`234`	`241`	`self.reset_counters()`
`235`	`242`
`236`		`-source_mapping=self.mappings.get_source_mapping(meta_info.source_mapping_ids[0])`
	`243`	`+source_mapping=self.__get_source_mapping(meta_info.source_mapping_ids)`
`237`	`244`	`log_source_signature:SigmaLogSourceSignature=source_mapping.log_source_signature`
`238`	`245`	`sigma_condition=copy.deepcopy(query)`
`239`	`246`	`prepared_data_structure=DataStructureCompiler().generate(tokens=sigma_condition)`
`@@ -243,7 +250,7 @@ def generate(self, query, meta_info: MetaInfoContainer, functions: ParsedFunctio`
`243`	`250`	`"id":meta_info.id,`
`244`	`251`	`"description":meta_info.description,`
`245`	`252`	`"status":"experimental",`
`246`		`-"author":"",`
	`253`	`+"author":meta_info.author,`
`247`	`254`	`"references":meta_info.references,`
`248`	`255`	`"tags":meta_info.tags,`
`249`	`256`	`"logsource":log_source_signature.log_sources,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc6cbbe7

File tree

5 files changed

5 files changed

`‎siem-converter/app/converter/backends/elasticsearch/parsers/elasticsearch.py‎`

`‎siem-converter/app/converter/backends/elasticsearch/tokenizer.py‎`

`‎siem-converter/app/converter/backends/opensearch/parsers/opensearch.py‎`

`‎siem-converter/app/converter/backends/opensearch/tokenizer.py‎`

`‎siem-converter/app/converter/backends/sigma/renders/sigma.py‎`

0 commit comments