SIGMAルールの変換ツールのテストケース作成とバグFIX (#261)

* grep検索に数値を指定されていると、sigmaルールの変換に失敗する問題を修正しました。 * add test files and bugfix for no timeframe.
2021-12-05 15:02:54 +09:00
parent ac5c5c2917
commit b10b714b36
47 changed files with 1053 additions and 2 deletions
@@ -0,0 +1,17 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    simple test
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4100
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,21 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    map test and escape str test and empty string test and null test
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4100
+        ObjectType: 'Key'
+        ObjectKey: 'aaaValu__-*|3''|e '
+        Ojb: ''
+        aaa: null
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,22 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    list test
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 
+            - 4100
+            - 9000
+            - 8000
+            - "aaaa"
+        ObjectType: 'Key'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,23 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    list test
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        - 2
+        - dee
+        - testtesttest
+    SELECTION_2:
+        EventID:
+            - 22
+            - 33
+    condition: selection and SELECTION_2
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,24 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    all modifier
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        - 2
+        - dee
+        - testtesttest
+    SELECTION_2:
+        EventID|all:
+            - 22
+            - 33
+            - hoge
+    condition: selection and SELECTION_2
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,18 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    contains modifier
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        - UserName|contains: hogehoge
+        - TargetUserName|contains: testest2
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,18 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    endswith pipe modifier and startswith pipe modifier
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        - UserName|endswith: hogehoge_end
+        - TargetUserName|startswith: test_start
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,18 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    base64 encode modifier
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        UserName|base64: base64_encoded
+        TargetUserName: test_start
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,22 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    re modifier test
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        UserName|re: aaa
+        UserName2|re: .*bbbb$
+        UserName3|re: cccc\/dd/\//dd # see hayabusa.py generateMapItemTypedNode()
+        UserName4|re: cccc\"dd"\""dd # see hayabusa.py generateMapItemTypedNode()
+        UserName5|re: cccc{{3}0dddd # see hayabusa.py generateMapItemTypedNode()
+        UserName6|re: cccc{{3}0d{32}dd # see hayabusa.py generateMapItemTypedNode()
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,29 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    all of test
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 
+            - 3
+            - 7
+            - a
+        UserName: abc
+    selection2:
+        process: nnn
+        parentprocess: 2
+    selection3:
+        uuu: zzzz
+        xxxx: 3
+    another:
+        ppp: iiii
+    condition: all of selection* or another
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,28 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    1 of
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 
+            - 3
+            - 7
+        UserName: abc
+    selection2:
+        process: nnn
+        parentprocess: sss
+    selection3:
+        uuu: zzzz
+        xxxx: yyyyy
+    another:
+        ppp: iiii
+    condition: 1 of selection* and another
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,26 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    all of them
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 
+            - 3
+            - 7
+        UserName: abc
+    selection2:
+        process: nnn
+        parentprocess: sss
+    selection3:
+        uuu: zzzz
+        xxxx: yyyyy
+    condition: all of them
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,26 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    1 of them
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 
+            - 3
+            - 7
+        UserName: abc
+    selection2:
+        process: nnn
+        parentprocess: sss
+    selection3:
+        uuu: zzzz
+        xxxx: yyyyy
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,18 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    timeflame 
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    timeflame: 2d
+    condition: selection1
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,24 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition and or
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    selection3:
+        ccc: ddd
+    selection4:
+        eee: fff
+    timeflame: 2d
+    condition: selection1 and selection2 and selection3 and selection4
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,24 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition and
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    selection3:
+        ccc: ddd
+    selection4:
+        eee: fff
+    timeflame: 2d
+    condition: selection1 and selection2 and selection3 and selection4
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,24 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition or
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    selection3:
+        ccc: ddd
+    selection4:
+        eee: fff
+    timeflame: 2d
+    condition: selection1 or selection2 or selection3 or selection4
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,25 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    () 
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    selection3:
+        ccc: ddd
+    selection4:
+        eee: fff
+    selection5:
+        ggg: hhh
+    condition: selection1 and ( selection2 or (selection3 and selection4) ) or selection5
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,17 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition not
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    condition: not selection1
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,25 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition not ()
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    selection3:
+        ccc: ddd
+    selection4:
+        eee: fff
+    selection5:
+        ggg: hhh
+    condition: not selection1 and not( selection2 and not (selection3 or selection4)) and selection5
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,19 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition count
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    condition: selection1 and not selection2 | count() < 3
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,19 @@
+title: test
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+description: |
+    condition count
+status: experimental
+date: 2021/12/4
+author: test
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 3
+    selection2:
+        aaa: bbb
+    condition: selection1 and not selection2 | count(TEAMNAME) by HOGE < 3
+falsepositives:
+    - Unknown
+level: medium