CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SIGMAルールの変換ツールのテストケース作成とバグFIX (#261)

Browse Source 
* grep検索に数値を指定されていると、sigmaルールの変換に失敗する問題を修正しました。

* add test files and bugfix for no timeframe.
This commit is contained in:
James Takai / hach1yon
2021-12-05 15:02:54 +09:00
committed by GitHub
parent ac5c5c2917
commit b10b714b36
47 changed files with 1053 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tools/sigmac/hayabusa.py
View File

@@ -204,7 +204,7 @@ class HayabusaBackend(SingleTextQueryBackend):
def generateANDNode(self, node):
generated = list()
for val in node:
if type(val) == str:
if type(val) == str or type(val) == int:
# 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース
# keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと)
# 具体的には"all of"とか使うとこの分岐に来る
@@ -235,7 +235,7 @@ class HayabusaBackend(SingleTextQueryBackend):
generated = list()
for val in node:
# 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース
if type(val) == str:
if type(val) == str or type(val) == int:
if name is None:
name = self.create_new_selection()
self.name_2_selection[name] = list()
@@ -270,9 +270,16 @@ class HayabusaBackend(SingleTextQueryBackend):
bs.write("title: " + parsed_yaml["title"]+"\n")
bs.write("ruletype: SIGMA\n")
del parsed_yaml["title"]
# detectionの部分をクリアする前にtimeflameだけ確保しておく。
timeflame = None
if "timeflame" in parsed_yaml["detection"]:
timeflame = parsed_yaml["detection"]["timeflame"]
# detectionの部分だけ変更して出力する。
parsed_yaml["detection"] = {}
if timeflame is not None and len(timeflame) != 0:
parsed_yaml["detection"]["timeflame"] = timeflame
parsed_yaml["detection"]["condition"] = result
for key, values in self.name_2_selection.items():
# fieldnameの有無を確認している
@@ -290,6 +297,7 @@ class HayabusaBackend(SingleTextQueryBackend):
else:
## is_keyword_list() == Falseの場合
parsed_yaml["detection"][key][fieldname] = value
yaml.dump(parsed_yaml, bs, indent=4, default_flow_style=False)
ret = bs.getvalue()
ret += "---\n"

12
tools/sigmac/test_files/README.md Normal file
View File

@@ -0,0 +1,12 @@
このフォルダにはテストに必要なファイルが格納されています。
テストを実行する際には、toos/sigmacにあるファイルに加え、このフォルダのファイルもsigmaディレクトリにコピーしてください。
このフォルダにあるファイルについて説明します。
* test_rules: テスト用のSIGMAルールが格納されたフォルダです。
* convert_test.sh: テストを実行するためのシェルスクリプトです。test_rulesフォルダ内のSIGMAルールをhayabusaルールに変換し、hayabusa_rules_testフォルダに出力します。
* expected_rules: test_rulesフォルダ内のルールを正しく変換すると、このフォルダに設置されているhayabusaルールと同じになるはずです。
テストは下記のように実行します。
* convert_test.shを実行する。
* WinMerge等のツールを利用して、expected_rulesフォルダとhayabusa_rules_testフォルダに差分を確認する。
* 差分が無ければテストOKです。差分があれば、内容を確認して適宜修正してください。

3
tools/sigmac/test_files/convert_test.sh Normal file
View File

@@ -0,0 +1,3 @@
rm -rf hayabusa_rules
python ./tools/sigmac -t hayabusa --config ./tools/config/generic/sysmon.yml --defer-abort -r test_rules/ > sigma_to_hayabusa.yml
python splitter.py hayabusa_rules_test

17
tools/sigmac/test_files/expected_rules/test_rules/test0001.yml Normal file
View File

@@ -0,0 +1,17 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "simple test\n"
detection:
SELECTION_1:
EventID: 4100
condition: SELECTION_1
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

26
tools/sigmac/test_files/expected_rules/test_rules/test0002.yml Normal file
View File

@@ -0,0 +1,26 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "map test and escape str test and empty string test and null test\n"
detection:
SELECTION_1:
EventID: 4100
SELECTION_2:
ObjectType: Key
SELECTION_3:
ObjectKey: "aaaValu__-*|3'|e "
SELECTION_4:
Ojb: ''
SELECTION_5:
aaa|re: ^$
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

26
tools/sigmac/test_files/expected_rules/test_rules/test0003.yml Normal file
View File

@@ -0,0 +1,26 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "list test\n"
detection:
SELECTION_1:
EventID: 4100
SELECTION_2:
EventID: 9000
SELECTION_3:
EventID: 8000
SELECTION_4:
EventID: aaaa
SELECTION_5:
ObjectType: Key
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

24
tools/sigmac/test_files/expected_rules/test_rules/test0004.yml Normal file
View File

@@ -0,0 +1,24 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "list test\n"
detection:
SELECTION_1:
- 2
- dee
- testtesttest
SELECTION_2:
EventID: 22
SELECTION_3:
EventID: 33
condition: ((SELECTION_1) and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

26
tools/sigmac/test_files/expected_rules/test_rules/test0005.yml Normal file
View File

@@ -0,0 +1,26 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "all modifier\n"
detection:
SELECTION_1:
- 2
- dee
- testtesttest
SELECTION_2:
EventID: 22
SELECTION_3:
EventID: 33
SELECTION_4:
EventID: hoge
condition: ((SELECTION_1) and (SELECTION_2 and SELECTION_3 and SELECTION_4))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

20
tools/sigmac/test_files/expected_rules/test_rules/test0006.yml Normal file
View File

@@ -0,0 +1,20 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "contains modifier\n"
detection:
SELECTION_1:
UserName: '*hogehoge*'
SELECTION_2:
TargetUserName: '*testest2*'
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

20
tools/sigmac/test_files/expected_rules/test_rules/test0007.yml Normal file
View File

@@ -0,0 +1,20 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "endswith pipe modifier and startswith pipe modifier\n"
detection:
SELECTION_1:
UserName: '*hogehoge_end'
SELECTION_2:
TargetUserName: test_start*
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

20
tools/sigmac/test_files/expected_rules/test_rules/test0008.yml Normal file
View File

@@ -0,0 +1,20 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "base64 encode modifier\n"
detection:
SELECTION_1:
UserName: YmFzZTY0X2VuY29kZWQ=
SELECTION_2:
TargetUserName: test_start
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

26
tools/sigmac/test_files/expected_rules/test_rules/test0009.yml Normal file
View File

@@ -0,0 +1,26 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "re modifier test\n"
detection:
SELECTION_1:
UserName|re: aaa
SELECTION_2:
UserName2|re: .*bbbb$
SELECTION_3:
UserName3|re: cccc/dd/dd
SELECTION_4:
UserName4|re: cccc"dddd
SELECTION_5:
UserName5|re: cccc"dddd
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

35
tools/sigmac/test_files/expected_rules/test_rules/test0010.yml Normal file
View File

@@ -0,0 +1,35 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "all of test\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
EventID: 7
SELECTION_3:
EventID: a
SELECTION_4:
UserName: abc
SELECTION_5:
process: nnn
SELECTION_6:
parentprocess: 2
SELECTION_7:
uuu: zzzz
SELECTION_8:
xxxx: 3
SELECTION_9:
ppp: iiii
condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_9)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

33
tools/sigmac/test_files/expected_rules/test_rules/test0011.yml Normal file
View File

@@ -0,0 +1,33 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "1 of\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
EventID: 7
SELECTION_3:
UserName: abc
SELECTION_4:
process: nnn
SELECTION_5:
parentprocess: sss
SELECTION_6:
uuu: zzzz
SELECTION_7:
xxxx: yyyyy
SELECTION_8:
ppp: iiii
condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7)) and SELECTION_8)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

31
tools/sigmac/test_files/expected_rules/test_rules/test0012.yml Normal file
View File

@@ -0,0 +1,31 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "all of them\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
EventID: 7
SELECTION_3:
UserName: abc
SELECTION_4:
process: nnn
SELECTION_5:
parentprocess: sss
SELECTION_6:
uuu: zzzz
SELECTION_7:
xxxx: yyyyy
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

31
tools/sigmac/test_files/expected_rules/test_rules/test0013.yml Normal file
View File

@@ -0,0 +1,31 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "1 of them\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
EventID: 7
SELECTION_3:
UserName: abc
SELECTION_4:
process: nnn
SELECTION_5:
parentprocess: sss
SELECTION_6:
uuu: zzzz
SELECTION_7:
xxxx: yyyyy
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

19
tools/sigmac/test_files/expected_rules/test_rules/test0014.yml Normal file
View File

@@ -0,0 +1,19 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "timeflame \n"
detection:
SELECTION_1:
EventID: 3
condition: SELECTION_1
timeflame: 2d
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

25
tools/sigmac/test_files/expected_rules/test_rules/test0015.yml Normal file
View File

@@ -0,0 +1,25 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition and or\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
SELECTION_3:
ccc: ddd
SELECTION_4:
eee: fff
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
timeflame: 2d
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

25
tools/sigmac/test_files/expected_rules/test_rules/test0016.yml Normal file
View File

@@ -0,0 +1,25 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition and or\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
SELECTION_3:
ccc: ddd
SELECTION_4:
eee: fff
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
timeflame: 2d
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

25
tools/sigmac/test_files/expected_rules/test_rules/test0017.yml Normal file
View File

@@ -0,0 +1,25 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition or\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
SELECTION_3:
ccc: ddd
SELECTION_4:
eee: fff
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
timeflame: 2d
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

27
tools/sigmac/test_files/expected_rules/test_rules/test0018.yml Normal file
View File

@@ -0,0 +1,27 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "() \n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
SELECTION_3:
ccc: ddd
SELECTION_4:
eee: fff
SELECTION_5:
ggg: hhh
condition: ((SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4))) or
SELECTION_5)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

18
tools/sigmac/test_files/expected_rules/test_rules/test0019.yml Normal file
View File

@@ -0,0 +1,18 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition not\n"
detection:
SELECTION_1:
EventID: 3
condition: ' not (SELECTION_1)'
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

27
tools/sigmac/test_files/expected_rules/test_rules/test0020.yml Normal file
View File

@@ -0,0 +1,27 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition not ()\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
SELECTION_3:
ccc: ddd
SELECTION_4:
eee: fff
SELECTION_5:
ggg: hhh
condition: ( not (SELECTION_1) and not ((SELECTION_2 and not ((SELECTION_3 or
SELECTION_4)))) and SELECTION_5)
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

20
tools/sigmac/test_files/expected_rules/test_rules/test0021.yml Normal file
View File

@@ -0,0 +1,20 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition count\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
condition: (SELECTION_1 and not (SELECTION_2)) | count() < 3
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

20
tools/sigmac/test_files/expected_rules/test_rules/test0022.yml Normal file
View File

@@ -0,0 +1,20 @@
title: test
ruletype: SIGMA
author: test
date: 2021/12/4
description: "condition count\n"
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
aaa: bbb
condition: (SELECTION_1 and not (SELECTION_2)) | count(TEAMNAME) by HOGE < 3
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
status: experimental

17
tools/sigmac/test_files/test_rules/test0001.yml Normal file
View File

@@ -0,0 +1,17 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
simple test
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
EventID: 4100
condition: selection
falsepositives:
- Unknown
level: medium

21
tools/sigmac/test_files/test_rules/test0002.yml Normal file
View File

@@ -0,0 +1,21 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
map test and escape str test and empty string test and null test
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
EventID: 4100
ObjectType: 'Key'
ObjectKey: 'aaaValu__-*|3''|e '
Ojb: ''
aaa: null
condition: selection
falsepositives:
- Unknown
level: medium

22
tools/sigmac/test_files/test_rules/test0003.yml Normal file
View File

@@ -0,0 +1,22 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
list test
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4100
- 9000
- 8000
- "aaaa"
ObjectType: 'Key'
condition: selection
falsepositives:
- Unknown
level: medium

23
tools/sigmac/test_files/test_rules/test0004.yml Normal file
View File

@@ -0,0 +1,23 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
list test
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
- 2
- dee
- testtesttest
SELECTION_2:
EventID:
- 22
- 33
condition: selection and SELECTION_2
falsepositives:
- Unknown
level: medium

24
tools/sigmac/test_files/test_rules/test0005.yml Normal file
View File

@@ -0,0 +1,24 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
all modifier
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
- 2
- dee
- testtesttest
SELECTION_2:
EventID|all:
- 22
- 33
- hoge
condition: selection and SELECTION_2
falsepositives:
- Unknown
level: medium

18
tools/sigmac/test_files/test_rules/test0006.yml Normal file
View File

@@ -0,0 +1,18 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
contains modifier
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
- UserName|contains: hogehoge
- TargetUserName|contains: testest2
condition: selection
falsepositives:
- Unknown
level: medium

18
tools/sigmac/test_files/test_rules/test0007.yml Normal file
View File

@@ -0,0 +1,18 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
endswith pipe modifier and startswith pipe modifier
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
- UserName|endswith: hogehoge_end
- TargetUserName|startswith: test_start
condition: selection
falsepositives:
- Unknown
level: medium

18
tools/sigmac/test_files/test_rules/test0008.yml Normal file
View File

@@ -0,0 +1,18 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
base64 encode modifier
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
UserName|base64: base64_encoded
TargetUserName: test_start
condition: selection
falsepositives:
- Unknown
level: medium

22
tools/sigmac/test_files/test_rules/test0009.yml Normal file
View File

@@ -0,0 +1,22 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
re modifier test
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection:
UserName|re: aaa
UserName2|re: .*bbbb$
UserName3|re: cccc\/dd/\//dd # see hayabusa.py generateMapItemTypedNode()
UserName4|re: cccc\"dd"\""dd # see hayabusa.py generateMapItemTypedNode()
UserName5|re: cccc{{3}0dddd # see hayabusa.py generateMapItemTypedNode()
UserName6|re: cccc{{3}0d{32}dd # see hayabusa.py generateMapItemTypedNode()
condition: selection
falsepositives:
- Unknown
level: medium

29
tools/sigmac/test_files/test_rules/test0010.yml Normal file
View File

@@ -0,0 +1,29 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
all of test
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 3
- 7
- a
UserName: abc
selection2:
process: nnn
parentprocess: 2
selection3:
uuu: zzzz
xxxx: 3
another:
ppp: iiii
condition: all of selection* or another
falsepositives:
- Unknown
level: medium

28
tools/sigmac/test_files/test_rules/test0011.yml Normal file
View File

@@ -0,0 +1,28 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
1 of
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 3
- 7
UserName: abc
selection2:
process: nnn
parentprocess: sss
selection3:
uuu: zzzz
xxxx: yyyyy
another:
ppp: iiii
condition: 1 of selection* and another
falsepositives:
- Unknown
level: medium

26
tools/sigmac/test_files/test_rules/test0012.yml Normal file
View File

@@ -0,0 +1,26 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
all of them
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 3
- 7
UserName: abc
selection2:
process: nnn
parentprocess: sss
selection3:
uuu: zzzz
xxxx: yyyyy
condition: all of them
falsepositives:
- Unknown
level: medium

26
tools/sigmac/test_files/test_rules/test0013.yml Normal file
View File

@@ -0,0 +1,26 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
1 of them
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 3
- 7
UserName: abc
selection2:
process: nnn
parentprocess: sss
selection3:
uuu: zzzz
xxxx: yyyyy
condition: 1 of them
falsepositives:
- Unknown
level: medium

18
tools/sigmac/test_files/test_rules/test0014.yml Normal file
View File

@@ -0,0 +1,18 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
timeflame
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
timeflame: 2d
condition: selection1
falsepositives:
- Unknown
level: medium

24
tools/sigmac/test_files/test_rules/test0015.yml Normal file
View File

@@ -0,0 +1,24 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition and or
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
selection3:
ccc: ddd
selection4:
eee: fff
timeflame: 2d
condition: selection1 and selection2 and selection3 and selection4
falsepositives:
- Unknown
level: medium

24
tools/sigmac/test_files/test_rules/test0016.yml Normal file
View File

@@ -0,0 +1,24 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition and
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
selection3:
ccc: ddd
selection4:
eee: fff
timeflame: 2d
condition: selection1 and selection2 and selection3 and selection4
falsepositives:
- Unknown
level: medium

24
tools/sigmac/test_files/test_rules/test0017.yml Normal file
View File

@@ -0,0 +1,24 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition or
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
selection3:
ccc: ddd
selection4:
eee: fff
timeflame: 2d
condition: selection1 or selection2 or selection3 or selection4
falsepositives:
- Unknown
level: medium

25
tools/sigmac/test_files/test_rules/test0018.yml Normal file
View File

@@ -0,0 +1,25 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
()
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
selection3:
ccc: ddd
selection4:
eee: fff
selection5:
ggg: hhh
condition: selection1 and ( selection2 or (selection3 and selection4) ) or selection5
falsepositives:
- Unknown
level: medium

17
tools/sigmac/test_files/test_rules/test0019.yml Normal file
View File

@@ -0,0 +1,17 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition not
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
condition: not selection1
falsepositives:
- Unknown
level: medium

25
tools/sigmac/test_files/test_rules/test0020.yml Normal file
View File

@@ -0,0 +1,25 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition not ()
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
selection3:
ccc: ddd
selection4:
eee: fff
selection5:
ggg: hhh
condition: not selection1 and not( selection2 and not (selection3 or selection4)) and selection5
falsepositives:
- Unknown
level: medium

19
tools/sigmac/test_files/test_rules/test0021.yml Normal file
View File

@@ -0,0 +1,19 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition count
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
condition: selection1 and not selection2 | count() < 3
falsepositives:
- Unknown
level: medium

19
tools/sigmac/test_files/test_rules/test0022.yml Normal file
View File

@@ -0,0 +1,19 @@
title: test
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
description: |
condition count
status: experimental
date: 2021/12/4
author: test
logsource:
product: windows
service: security
detection:
selection1:
EventID: 3
selection2:
aaa: bbb
condition: selection1 and not selection2 | count(TEAMNAME) by HOGE < 3
falsepositives:
- Unknown
level: medium