SIGMAルールの変換ツールのテストケース作成とバグFIX (#261)

* grep検索に数値を指定されていると、sigmaルールの変換に失敗する問題を修正しました。 * add test files and bugfix for no timeframe.
2021-12-05 15:02:54 +09:00
parent ac5c5c2917
commit b10b714b36
47 changed files with 1053 additions and 2 deletions
@@ -0,0 +1,17 @@
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "simple test\n"
+detection:
+  SELECTION_1:
+    EventID: 4100
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,26 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "map test and escape str test and empty string test and null test\n"
+detection:
+  SELECTION_1:
+    EventID: 4100
+  SELECTION_2:
+    ObjectType: Key
+  SELECTION_3:
+    ObjectKey: "aaaValu__-*|3'|e "
+  SELECTION_4:
+    Ojb: ''
+  SELECTION_5:
+    aaa|re: ^$
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,26 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "list test\n"
+detection:
+  SELECTION_1:
+    EventID: 4100
+  SELECTION_2:
+    EventID: 9000
+  SELECTION_3:
+    EventID: 8000
+  SELECTION_4:
+    EventID: aaaa
+  SELECTION_5:
+    ObjectType: Key
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,24 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "list test\n"
+detection:
+  SELECTION_1:
+  - 2
+  - dee
+  - testtesttest
+  SELECTION_2:
+    EventID: 22
+  SELECTION_3:
+    EventID: 33
+  condition: ((SELECTION_1) and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,26 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "all modifier\n"
+detection:
+  SELECTION_1:
+  - 2
+  - dee
+  - testtesttest
+  SELECTION_2:
+    EventID: 22
+  SELECTION_3:
+    EventID: 33
+  SELECTION_4:
+    EventID: hoge
+  condition: ((SELECTION_1) and (SELECTION_2 and SELECTION_3 and SELECTION_4))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,20 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "contains modifier\n"
+detection:
+  SELECTION_1:
+    UserName: '*hogehoge*'
+  SELECTION_2:
+    TargetUserName: '*testest2*'
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,20 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "endswith pipe modifier and startswith pipe modifier\n"
+detection:
+  SELECTION_1:
+    UserName: '*hogehoge_end'
+  SELECTION_2:
+    TargetUserName: test_start*
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,20 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "base64 encode modifier\n"
+detection:
+  SELECTION_1:
+    UserName: YmFzZTY0X2VuY29kZWQ=
+  SELECTION_2:
+    TargetUserName: test_start
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,26 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "re modifier test\n"
+detection:
+  SELECTION_1:
+    UserName|re: aaa
+  SELECTION_2:
+    UserName2|re: .*bbbb$
+  SELECTION_3:
+    UserName3|re: cccc/dd/dd
+  SELECTION_4:
+    UserName4|re: cccc"dddd
+  SELECTION_5:
+    UserName5|re: cccc"dddd
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,35 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "all of test\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    EventID: 7
+  SELECTION_3:
+    EventID: a
+  SELECTION_4:
+    UserName: abc
+  SELECTION_5:
+    process: nnn
+  SELECTION_6:
+    parentprocess: 2
+  SELECTION_7:
+    uuu: zzzz
+  SELECTION_8:
+    xxxx: 3
+  SELECTION_9:
+    ppp: iiii
+  condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_9)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,33 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "1 of\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    EventID: 7
+  SELECTION_3:
+    UserName: abc
+  SELECTION_4:
+    process: nnn
+  SELECTION_5:
+    parentprocess: sss
+  SELECTION_6:
+    uuu: zzzz
+  SELECTION_7:
+    xxxx: yyyyy
+  SELECTION_8:
+    ppp: iiii
+  condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)) and SELECTION_8)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,31 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "all of them\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    EventID: 7
+  SELECTION_3:
+    UserName: abc
+  SELECTION_4:
+    process: nnn
+  SELECTION_5:
+    parentprocess: sss
+  SELECTION_6:
+    uuu: zzzz
+  SELECTION_7:
+    xxxx: yyyyy
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,31 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "1 of them\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    EventID: 7
+  SELECTION_3:
+    UserName: abc
+  SELECTION_4:
+    process: nnn
+  SELECTION_5:
+    parentprocess: sss
+  SELECTION_6:
+    uuu: zzzz
+  SELECTION_7:
+    xxxx: yyyyy
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,19 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "timeflame \n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  condition: SELECTION_1
+  timeflame: 2d
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,25 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition and or\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  SELECTION_3:
+    ccc: ddd
+  SELECTION_4:
+    eee: fff
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+  timeflame: 2d
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,25 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition and or\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  SELECTION_3:
+    ccc: ddd
+  SELECTION_4:
+    eee: fff
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+  timeflame: 2d
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,25 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition or\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  SELECTION_3:
+    ccc: ddd
+  SELECTION_4:
+    eee: fff
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+  timeflame: 2d
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,27 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "() \n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  SELECTION_3:
+    ccc: ddd
+  SELECTION_4:
+    eee: fff
+  SELECTION_5:
+    ggg: hhh
+  condition: ((SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4))) or
+    SELECTION_5)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,18 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition not\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  condition: ' not (SELECTION_1)'
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,27 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition not ()\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  SELECTION_3:
+    ccc: ddd
+  SELECTION_4:
+    eee: fff
+  SELECTION_5:
+    ggg: hhh
+  condition: ( not (SELECTION_1) and  not ((SELECTION_2 and  not ((SELECTION_3 or
+    SELECTION_4)))) and SELECTION_5)
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,20 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition count\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  condition: (SELECTION_1 and  not (SELECTION_2)) | count() < 3
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental
@@ -0,0 +1,20 @@
+
+title: test
+ruletype: SIGMA
+author: test
+date: 2021/12/4
+description: "condition count\n"
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    aaa: bbb
+  condition: (SELECTION_1 and  not (SELECTION_2)) | count(TEAMNAME) by HOGE < 3
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+status: experimental