From 1c72f9a1def49809c3a7492bab7cb3211659d5b6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 11 Aug 2024 17:17:26 +0200 Subject: [PATCH 1/3] add regex test --- sigma/validators/sigmahq/config.py | 1 + sigma/validators/sigmahq/detection.py | 49 +++++++++++++++++++--- tests/test_detection.py | 58 ++++++++++++++++++++++----- 3 files changed, 94 insertions(+), 14 deletions(-) diff --git a/sigma/validators/sigmahq/config.py b/sigma/validators/sigmahq/config.py index a6f0316..cad61ce 100644 --- a/sigma/validators/sigmahq/config.py +++ b/sigma/validators/sigmahq/config.py @@ -1603,6 +1603,7 @@ class ConfigHQ: "legitimeate", "legitimat", ] + sigmahq_unsupported_regex_group_constructs = ["(?=", "(?!", "(?<=", "(?"] sigmahq_link_in_description = ["http://", "https://"] sigmahq_logsource_cast: Dict[SigmaLogSource, List[str]] = {} sigmahq_logsource_unicast: Dict[SigmaLogSource, List[str]] = {} diff --git a/sigma/validators/sigmahq/detection.py b/sigma/validators/sigmahq/detection.py index d8580b9..2fa6875 100644 --- a/sigma/validators/sigmahq/detection.py +++ b/sigma/validators/sigmahq/detection.py @@ -1,7 +1,11 @@ from dataclasses import dataclass -from typing import ClassVar, List +from typing import ClassVar, List, Set + +from sigma.rule import ( + SigmaRule, + SigmaDetectionItem, +) -from sigma.rule import SigmaRule from sigma.validators.base import ( SigmaValidationIssue, SigmaRuleValidator, @@ -9,6 +13,9 @@ SigmaDetectionItemValidator, SigmaDetectionItem, ) + +from sigma.modifiers import SigmaRegularExpressionModifier + from .config import ConfigHQ config = ConfigHQ() @@ -46,7 +53,7 @@ def validate_detection_item( @dataclass -class SigmahqCategoriProvidernameIssue(SigmaValidationIssue): +class SigmahqCategoryWindowsProviderNameIssue(SigmaValidationIssue): description: ClassVar[str] = ( "Rule uses a windows logsource category that doesn't require the use of the Provider_Name field" ) @@ -55,7 +62,7 @@ class SigmahqCategoriProvidernameIssue(SigmaValidationIssue): ) -class SigmahqCategoriProvidernameValidator(SigmaDetectionItemValidator): +class SigmahqCategoryWindowsProviderNameValidator(SigmaDetectionItemValidator): """Checks if a rule uses a Provider_Name field with a windows category logsource that doesn't require it.""" def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]: @@ -78,6 +85,38 @@ def validate_detection_item( self.rule.logsource.category ] ): - return [SigmahqCategoriProvidernameIssue(self.rule)] + return [SigmahqCategoryWindowsProviderNameIssue(self.rule)] return [] + + +@dataclass +class SigmahqUnsupportedRegexGroupConstructIssue(SigmaValidationIssue): + description: ClassVar[str] = ( + "Rule uses an unsupported regular expression group construct. Construct such as positive and negative lookahead, positive and negative lookbehind as well as atomic groups are currently unsupported." + ) + severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.HIGH + unsupported_regexp: str + + +class SigmahqUnsupportedRegexValidator(SigmaDetectionItemValidator): + """Checks if a rule uses a an unsupported regular expression group constructs.""" + + def validate_detection_item( + self, detection_item: SigmaDetectionItem + ) -> List[SigmaValidationIssue]: + + unsupported_regexps: Set[str] = set() + + if SigmaRegularExpressionModifier in detection_item.modifiers: + for value in detection_item.value: + for ( + unsupported_group_construct + ) in ConfigHQ.sigmahq_unsupported_regex_group_constructs: + if unsupported_group_construct in value.regexp: + unsupported_regexps.add(value.regexp) + + return [ + SigmahqUnsupportedRegexGroupConstructIssue([self.rule], regexp) + for regexp in unsupported_regexps + ] diff --git a/tests/test_detection.py b/tests/test_detection.py index baabd6b..893631c 100644 --- a/tests/test_detection.py +++ b/tests/test_detection.py @@ -6,12 +6,14 @@ from sigma.validators.sigmahq.detection import ( SigmahqCategoryEventIdIssue, SigmahqCategoryEventIdValidator, - SigmahqCategoriProvidernameIssue, - SigmahqCategoriProvidernameValidator, + SigmahqCategoryWindowsProviderNameIssue, + SigmahqCategoryWindowsProviderNameValidator, + SigmahqUnsupportedRegexGroupConstructIssue, + SigmahqUnsupportedRegexGroupConstructValidator, ) -def test_validator_SigmahqCategorieEventid(): +def test_validator_SigmahqCategoryEventId(): validator = SigmahqCategoryEventIdValidator() rule = SigmaRule.from_yaml( """ @@ -30,7 +32,7 @@ def test_validator_SigmahqCategorieEventid(): assert validator.validate(rule) == [SigmahqCategoryEventIdIssue(rule)] -def test_validator_SigmahqCategorieEventid_valid(): +def test_validator_SigmahqCategoryEventId_valid(): validator = SigmahqCategoryEventIdValidator() rule = SigmaRule.from_yaml( """ @@ -48,8 +50,8 @@ def test_validator_SigmahqCategorieEventid_valid(): assert validator.validate(rule) == [] -def test_validator_SigmahqCategoriProvidername(): - validator = SigmahqCategoriProvidernameValidator() +def test_validator_SigmahqCategoryWindowsProviderName(): + validator = SigmahqCategoryWindowsProviderNameValidator() rule = SigmaRule.from_yaml( """ title: A Space Field Name @@ -64,11 +66,11 @@ def test_validator_SigmahqCategoriProvidername(): condition: sel """ ) - assert validator.validate(rule) == [SigmahqCategoriProvidernameIssue(rule)] + assert validator.validate(rule) == [SigmahqCategoryWindowsProviderNameIssue(rule)] -def test_validator_SigmahqCategoriProvidername_valid(): - validator = SigmahqCategoriProvidernameValidator() +def test_validator_SigmahqCategoryWindowsProviderName_valid(): + validator = SigmahqCategoryWindowsProviderNameValidator() rule = SigmaRule.from_yaml( """ title: A Space Field Name @@ -83,3 +85,41 @@ def test_validator_SigmahqCategoriProvidername_valid(): """ ) assert validator.validate(rule) == [] + + +def test_validator_SigmahqUnsupportedRegexGroupConstruct(): + validator = SigmahqUnsupportedRegexGroupConstructValidator() + rule = SigmaRule.from_yaml( + """ + title: A Space Field Name + status: test + logsource: + product: windows + category: process_creation + detection: + sel: + field|re: 'A(?=B)' + condition: sel + """ + ) + assert validator.validate(rule) == [ + SigmahqUnsupportedRegexGroupConstructIssue([rule], "A(?=B)") + ] + + +def test_validator_SigmahqUnsupportedRegexGroupConstruct_valid(): + validator = SigmahqUnsupportedRegexGroupConstructValidator() + rule = SigmaRule.from_yaml( + """ + title: A Space Field Name + status: test + logsource: + product: windows + category: process_creation + detection: + sel: + field|re: 'a\w+b' + condition: sel + """ + ) + assert validator.validate(rule) == [] From c6033cdfcdda7650319c6d8c4de8f4865c7c54e7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 11 Aug 2024 17:21:08 +0200 Subject: [PATCH 2/3] Update test_detection.py --- tests/test_detection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_detection.py b/tests/test_detection.py index 893631c..04b859f 100644 --- a/tests/test_detection.py +++ b/tests/test_detection.py @@ -118,7 +118,7 @@ def test_validator_SigmahqUnsupportedRegexGroupConstruct_valid(): category: process_creation detection: sel: - field|re: 'a\w+b' + field|re: "a\w+b" condition: sel """ ) From 32c8a950ff09822b9e9e78c0aceb80c510393493 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 11 Aug 2024 17:23:34 +0200 Subject: [PATCH 3/3] update name --- sigma/validators/sigmahq/detection.py | 2 +- tests/test_detection.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sigma/validators/sigmahq/detection.py b/sigma/validators/sigmahq/detection.py index 2fa6875..e941f7b 100644 --- a/sigma/validators/sigmahq/detection.py +++ b/sigma/validators/sigmahq/detection.py @@ -99,7 +99,7 @@ class SigmahqUnsupportedRegexGroupConstructIssue(SigmaValidationIssue): unsupported_regexp: str -class SigmahqUnsupportedRegexValidator(SigmaDetectionItemValidator): +class SigmahqUnsupportedRegexGroupConstructValidator(SigmaDetectionItemValidator): """Checks if a rule uses a an unsupported regular expression group constructs.""" def validate_detection_item( diff --git a/tests/test_detection.py b/tests/test_detection.py index 04b859f..893631c 100644 --- a/tests/test_detection.py +++ b/tests/test_detection.py @@ -118,7 +118,7 @@ def test_validator_SigmahqUnsupportedRegexGroupConstruct_valid(): category: process_creation detection: sel: - field|re: "a\w+b" + field|re: 'a\w+b' condition: sel """ )