feat: add incompatible modifier check

Yamato-Security · Dec 19, 2023 · 4564490 · 4564490
1 parent ca311d1
commit 4564490
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/tools/sigmac/logsource_mapping.py b/tools/sigmac/logsource_mapping.py
@@ -160,7 +160,7 @@ def is_detectable(self, obj: dict) -> bool:
         """
         process_creation/registry_xxルールののSysmon/Securityイベント用変換後フィールドの妥当性チェック
         """
-        if self.category != "process_creation" and self.category != "registry_set" and self.category != "registry_add" and self.category != "registry_event" and self.category == "registry_delete" :
+        if self.category != "process_creation" and self.category != "registry_set" and self.category != "registry_add" and self.category != "registry_event" and self.category != "registry_delete" :
             return True
         for key in obj.keys():
             if key in ["condition", "process_creation", "timeframe", "registry_set", "registry_add", "registry_event", "registry_delete"]:
@@ -264,6 +264,11 @@ def convert(self):
         logsourceのcategory/serviceをlogsource_mapに基づき変換し、変換後の内容でdetectionブロックを更新する
         """
         obj = create_obj(base_dir=None, file_name=self.sigma_path)
+        keys = get_terminal_keys_recursive(obj["detection"], [])
+        modifiers = {re.sub(r".*\|", "", k) for k in keys if "|" in k}
+        if modifiers and [m for m in modifiers if m not in ["all", "base64", "base64offset", "cidr", "contains", "endswith", "endswithfield", "equalsfield", "re", "startswith"]]:
+            LOGGER.error(f"This rule has incompatible field.{obj['detection']}. skip conversion.")
+            return
         logsources = self.get_logsources(obj)
         if not logsources:
             new_obj = copy.deepcopy(obj)

diff --git a/tools/sigmac/test_logsource_mapping.py b/tools/sigmac/test_logsource_mapping.py
@@ -120,4 +120,4 @@ def test_logsource_validate_security_12(self):
         self.assertTrue(ls.is_detectable({"selection": {"Image": "a.exe" }}))
         self.assertTrue(ls.is_detectable({"selection": {"Details": "foo" }}))
         self.assertTrue(ls.is_detectable({"selection": {"EventType": "CreateKey" }}))
-        self.assertTrue(ls.is_detectable({"selection": {'TargetObject|endswith': 'software'}, 'condition': 'selection'}))
+        self.assertTrue(ls.is_detectable({"selection": {'TargetObject|endswith': 'software'}, 'condition': 'selection'}))