Comments (6)
SIGMAルールの以下項目を対象として作成すると多くのSIGMAルールが流用できる。本issueは各ルールの共通部分の読み込み機能を管理するためのissueとします。
- contains: #78 関連
- endswith
- startswith
- and
- or
- not
- count
from hayabusa.
確認完了。現状yaml.rsでの読み込み部分の処理で問題ないことを確認。
既存のyamlルールと構造が異なり、outputの出力ができない状態になっているため要確認
from hayabusa.
yaml.rsで以下のSIGMAルールを読み込んだ時の結果を共有しておきます。
-
読み込んだyamlファイル https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
-
yaml.rsでの読み込み
[Hash({String("title"): String("Sysinternals SDelete File Deletion"), String("id"): String("6ddab845-b1b8-49c2-bbf7-1a11967f64bc"), String("description"): String("A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files."), String("status"): String("experimental"), String("date"): String("2020/05/02"), String("author"): String("Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"), String("tags"): Array([String("attack.defense_evasion"), String("attack.t1070.004")]), String("references"): Array([String("https://github.com/OTRF/detection-hackathon-apt29/issues/9"), String("https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html")]), String("logsource"): Hash({String("product"): String("windows"), String("category"): String("file_delete")}), String("detection"): Hash({String("selection"): Hash({String("TargetFilename|endswith"): Array([String(".AAA"), String(".ZZZ")])}), String("condition"): String("selection")}), String("falsepositives"): Array([String("Legitime usage of SDelete")]), String("level"): String("medium")})]
from hayabusa.
SIGMAルールはoutputがない。outputがない場合はtitleを表示するということで合意。
titleとlevelを表示したいとのこと、現在のYeaの出力との違いも含めて要検討?
from hayabusa.
- @hitenkoku はcountを対応
- @itiB は#78 の対処後にcontains,startswith,endwithを対応予定
- @ichiichi11 はand,or,notを対応予定
from hayabusa.
conditionの読み込みは #117 で対応済みの為、本issueはクローズします。
hitenkokuのcount処理以外はすべて完了済み
from hayabusa.
Related Issues (20)
- computer-metrics usage is different
- Only enable rule files that are applicable to the loaded evtx files
- Only load and scan evtx files based on loaded rules
- Support `windash` pipe modifier HOT 5
- Investigate chances to reduce memory, refactor code, etc...
- [bug] `-T(--visualize-timeline)` option does not work
- Can't get hayabusa to use JSON as input HOT 3
- Enhancement: Duplicate detections for logon-summary HOT 5
- Bug: `windash` not working when there is a * wildcard HOT 3
- Check out WatchAD2.0 by Qihoo360 HOT 1
- aarch64 musl binary can't run HOT 1
- Consistent output for Timeline Explorer HOT 5
- Allow `-d` to be specified multiple times HOT 1
- Sigma correlations support: Event Count HOT 3
- Sigma correlations support: Value Count HOT 1
- Support multiple grouping by in `count` HOT 1
- Improving count rule's output HOT 5
- [bug] Nothing is detected when using the `-J, --JSON-input` option with the timeline command because of `Channel` filter HOT 4
- Enable overflow checks in release mode
- Support for `Provider_name` and `Data[x]` notation to the field mapping HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hayabusa.