diff --git a/tools/sigmac/README-English.md b/tools/sigmac/README-English.md new file mode 100644 index 00000000..4223f319 --- /dev/null +++ b/tools/sigmac/README-English.md @@ -0,0 +1,50 @@ +# Automatic conversion of Sigma to Hayabusa rules +[![python](https://img.shields.io/badge/python-3.8-blue)](https://www.python.org/) +![version](https://img.shields.io/badge/Platform-Win-green) +![version](https://img.shields.io/badge/Platform-Lin-green) +![version](https://img.shields.io/badge/Platform-Mac-green) + +You can use `hayabusa.py`, a `sigmac` backend, to automatically convert Sigma rules to Hayabusa rules. + +## About Sigma + +[https://github.com/SigmaHQ/sigma](https://github.com/SigmaHQ/sigma) + +## Settings + +hayabusa.py needs `sigmac` from the Sigma repository. +Before using hayabusa.py, please clone the Sigma repository. + +```sh +git clone https://github.com/SigmaHQ/sigma.git +``` + +## Usage + +Create an environmental variable `$sigma_path` that points to the Sigma repository and register haybausa as a backend for Sigma: + +```sh +export sigma_path=/path/to/sigma_repository +cp hayabusa.py $sigma_path/tools/sigma/backends +``` + +### Converting a single rule + +You can convert a single rule with the following syntax: + +```sh +python3 $sigma_path/tools/sigmac --config --target hayabusa +``` + +Example: +```sh +python3 $sigma_path/tools/sigmac $sigma_path/rules/windows/create_remote_thread/sysmon_cactustorch.yml --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > sysmon_cactustorch.yml +``` + +### Converting multiple rules + +This example will convert all Sigma rules for Windows event logs to hayabusa rules and save them to the current directory. + +```sh +find $sigma_path/rules/windows/* | grep yml | xargs -I{} sh -c 'python $sigma_path/tools/sigmac {} --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > "$(basename {})"' +``` diff --git a/tools/sigmac/README-Japanese.md b/tools/sigmac/README-Japanese.md new file mode 100644 index 00000000..e47e5d86 --- /dev/null +++ b/tools/sigmac/README-Japanese.md @@ -0,0 +1,51 @@ +# SIGMAからHayabusaルールへの自動変換 +[![python](https://img.shields.io/badge/python-3.8-blue)](https://www.python.org/) +![version](https://img.shields.io/badge/Platform-Win-green) +![version](https://img.shields.io/badge/Platform-Lin-green) +![version](https://img.shields.io/badge/Platform-Mac-green) + +`hayabusa.py` はSigmaルールをHayabusaルールに変換する`sigmac`のバックエンドです。 +Sigmaの持つ多くの検知ルールをHayabusaのルールセットに追加することでルールを作成する手間を省くことができます。 + +## Sigmaについて + +[https://github.com/SigmaHQ/sigma](https://github.com/SigmaHQ/sigma) + +## 環境設定 + +hayabusa.pyはSigmaリポジトリの中にある`sigmac`を使います。 +事前に任意のディレクトリにSigmaリポジトリをcloneしてください。 + +```sh +git clone https://github.com/SigmaHQ/sigma.git +``` + +## 使い方 + +Sigmaレポジトリのパスが書いてある`$sigma_path`という環境変数を設定して、hayabusaをSigmaのbackendとして登録します: + +```sh +export sigma_path=/path/to/sigma_repository +cp hayabusa.py $sigma_path/tools/sigma/backends +``` + +### 単体のルールを変換 + +以下のシンタクスで単体のルールを変換できます: + +```sh +python3 $sigma_path/tools/sigmac <変換対象ruleの指定> --config --target hayabusa +``` + +例: +```sh +python3 $sigma_path/tools/sigmac $sigma_path/rules/windows/create_remote_thread/sysmon_cactustorch.yml --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > sysmon_cactustorch.yml +``` + +### 複数のルールを変換 + +以下のように、SigmaのすべてのWindowsイベントログルールをhayabusaルールに変換して、カレントディレクトリに保存します: + +```sh +find $sigma_path/rules/windows/* | grep yml | xargs -I{} sh -c 'python $sigma_path/tools/sigmac {} --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > "$(basename {})"' +``` diff --git a/tools/sigmac/README-en.md b/tools/sigmac/README-en.md deleted file mode 100644 index 15e28c20..00000000 --- a/tools/sigmac/README-en.md +++ /dev/null @@ -1,50 +0,0 @@ -# hayabusaGenerator -[![python](https://img.shields.io/badge/python-3.8-blue)](https://www.python.org/) -![version](https://img.shields.io/badge/Platform-Win-green) -![version](https://img.shields.io/badge/Platform-Lin-green) -![version](https://img.shields.io/badge/Platform-Mac-green) - -[Japanese](./README.md) - -`hayabusaGenerater.py` allows to convert SIGMA rules to Hayabusa ruleset. - -## sigma - -[https://github.com/SigmaHQ/sigma](https://github.com/SigmaHQ/sigma) - -## Settings - -hayabusaGenerator needs `sigmac` from the SIGMA repository. -Before using hayabusaGenerator, clone the repository. - -```sh -git clone https://github.com/SigmaHQ/sigma.git -``` - -## Quickstart - -Regist haybausa for SIGMA's backend. - -```sh -export sigma_path=/path/to/sigma_repository -cp hayabusaGenerater.py $sigma_path/tools/sigma/backends -``` - -### Convert Single Rule - -```sh -python3 $sigma_path/tools/sigmac --config --target hayabusa -``` - -Sample -```sh -python3 $sigma_path/tools/sigmac $sigma/rules/windows/create_remote_thread/sysmon_cactustorch.yml --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > sysmon_cactustorch.yml -``` - -### Convert Multiple Rules - -This is a command sample that creates a rule file from the specified directory in the current directory. - -```sh -find $sigma/rules/windows/* | grep yml | xargs -I{} sh -c 'python $sigma/tools/sigmac {} --config $sigma/tools/config/generic/sysmon.yml --target hayabusa > "$(basename {})"' -``` diff --git a/tools/sigmac/README-hayabusa-sigma-backend.md b/tools/sigmac/README-hayabusa-sigma-backend.md new file mode 100644 index 00000000..c6d5afc0 --- /dev/null +++ b/tools/sigmac/README-hayabusa-sigma-backend.md @@ -0,0 +1,5 @@ +Readme for the hayabusa backend for `sigmac`: + +[English](README-English.md) + +[Japanese](README-Japanese.md) \ No newline at end of file diff --git a/tools/sigmac/README.md b/tools/sigmac/README.md deleted file mode 100644 index a777b409..00000000 --- a/tools/sigmac/README.md +++ /dev/null @@ -1,51 +0,0 @@ -# hayabusaGenerator -[![python](https://img.shields.io/badge/python-3.8-blue)](https://www.python.org/) -![version](https://img.shields.io/badge/Platform-Win-green) -![version](https://img.shields.io/badge/Platform-Lin-green) -![version](https://img.shields.io/badge/Platform-Mac-green) - -[English](./README-en.md) - -`hayabusaGenerator.py` はSIGMAルールをHayabusaに対応したルールセットに変更することができます。 -SIGMAの持つ多くの検知ルールをHayabusaのルールセットに追加することでルールを作成する手間を省くことができます。 - -## sigma - -[https://github.com/SigmaHQ/sigma](https://github.com/SigmaHQ/sigma) - -## 環境設定 - -hayabusaGeneratorはSIGMAリポジトリの中にある`sigmac`を使います。 -事前に任意のディレクトリにSIGMAリポジトリをcloneしてください。 - -```sh -git clone https://github.com/SigmaHQ/sigma.git -``` - -## 使い方 - -hayabusaGenerator.pyをSIGMAのbackendとして登録します。 - -```sh -export sigma_path=/path/to/sigma_repository -cp hayabusaGenerater.py $sigma_path/tools/sigma/backends -``` - -### 単体のルールを変換 - -```sh -python3 $sigma_path/tools/sigmac <変換対象ruleの指定> --config --target hayabusa -``` - -サンプル -```sh -python3 $sigma_path/tools/sigmac $sigma/rules/windows/create_remote_thread/sysmon_cactustorch.yml --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > sysmon_cactustorch.yml -``` - -### 複数のルールを変換 - -現在のディレクトリ内に指定したディレクトリ内のルールファイルを作成するコマンドサンプルです。 - -```sh -find $sigma/rules/windows/* | grep yml | xargs -I{} sh -c 'python $sigma/tools/sigmac {} --config $sigma/tools/config/generic/sysmon.yml --target hayabusa > "$(basename {})"' -``` diff --git a/tools/sigmac/hayabusaGenerater.py b/tools/sigmac/hayabusa.py similarity index 100% rename from tools/sigmac/hayabusaGenerater.py rename to tools/sigmac/hayabusa.py