From 9941a5dc907e6e519d2e1abec5ae8c46a2da68d9 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 9 Dec 2021 09:28:54 +0900 Subject: [PATCH] Update sigmac tool readme and ruletype name (#267) --- tools/sigmac/README-English.md | 5 ++--- tools/sigmac/README-Japanese.md | 2 +- tools/sigmac/hayabusa.py | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/tools/sigmac/README-English.md b/tools/sigmac/README-English.md index 458dc898..869601bd 100644 --- a/tools/sigmac/README-English.md +++ b/tools/sigmac/README-English.md @@ -47,8 +47,7 @@ cp splitter.py $sigma_path ### Convert Rule -Conversion rules can be created by executing `convert.sh`. -The rules will be created to hayabusa_rules folder. +`convert.sh` will convert sigma rules to hayabusa rules and save them in a new `hayabusa_rules` folder. ```sh export sigma_path=/path/to/sigma_repository @@ -71,4 +70,4 @@ sigma/rules/windows/process_creation/process_creation_apt_turla_commands_medium. ## Sigma rule parsing errors -Some rules will have been able to be converted but will cause parsing errors. We will continue to fix these bugs but for the meantime the majority of Sigma rules do work so please ignore the errors for now. +Some rules will have been able to be converted but will cause parsing errors or will not be usable due to various bugs. We will continue to fix these bugs but for the meantime the majority of Sigma rules do work so please ignore the errors for now. diff --git a/tools/sigmac/README-Japanese.md b/tools/sigmac/README-Japanese.md index 8baca41b..bfb89ee9 100644 --- a/tools/sigmac/README-Japanese.md +++ b/tools/sigmac/README-Japanese.md @@ -48,7 +48,7 @@ cp splitter.py $sigma_path * 注意:`/path/to/sigma_repository`そのままではなくて、自分のSigmaレポジトリのパスを指定してください。 ### ルールの変換 -convert.shを実行することでルールの変換が実行されます。変換されたルールはhayabusa_rulesフォルダに作成されます。 +`convert.sh`を実行することでルールの変換が実行されます。変換されたルールは`hayabusa_rules`フォルダに作成されます。 ```sh export sigma_path=/path/to/sigma_repository diff --git a/tools/sigmac/hayabusa.py b/tools/sigmac/hayabusa.py index ae53c407..3e56ed9e 100644 --- a/tools/sigmac/hayabusa.py +++ b/tools/sigmac/hayabusa.py @@ -268,7 +268,7 @@ class HayabusaBackend(SingleTextQueryBackend): # parsed.sigmaParser.parsedyamlがOrderedDictならこんなことしなくていい、後で別のやり方があるか調べる # 順番固定してもいいかも bs.write("title: " + parsed_yaml["title"]+"\n") - bs.write("ruletype: SIGMA\n") + bs.write("ruletype: Sigma\n") del parsed_yaml["title"] # detectionの部分をクリアする前にtimeflameだけ確保しておく。