Merge pull request #1 from Neo23x0/master

Update
SherifEldeeb · Jan 27, 2018 · 21bc163 · 21bc163
2 parents 0f2e1c5 + e76ef7d
commit 21bc163
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -16,6 +16,7 @@ test-yaml:
 test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null

diff --git a/tools/sigma/backends.py b/tools/sigma/backends.py
@@ -95,7 +95,9 @@ def __init__(self, sigmaconfig, backend_options=None, filename=None):
     def generate(self, sigmaparser):
         """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
         for parsed in sigmaparser.condparsed:
+            self.output.print(self.generateBefore(parsed), end="")
             self.output.print(self.generateQuery(parsed))
+            self.output.print(self.generateAfter(parsed), end="")
 
     def generateQuery(self, parsed):
         result = self.generateNode(parsed.parsedSearch)
@@ -155,6 +157,12 @@ def generateNotNULLValueNode(self, node):
     def generateAggregation(self, agg):
         raise NotImplementedError("Aggregations not implemented for this backend")
 
+    def generateBefore(self, parsed):
+        return ""
+
+    def generateAfter(self, parsed):
+        return ""
+
     def finalize(self):
         """
         Is called after the last file was processed with generate(). The right place if this backend is not intended to
@@ -178,7 +186,18 @@ def cleanValue(self, val):
             val = self.reClear.sub("", val)
         return val
 
-class SingleTextQueryBackend(BaseBackend, QuoteCharMixin):
+class RulenameCommentMixin:
+    """Prefixes each rule with the rule title."""
+    prefix = "# "
+
+    def generateBefore(self, parsed):
+        if "rulecomment" in self.options:
+            try:
+                return "\n%s%s\n" % (self.prefix, parsed.sigmaParser.parsedyaml['title'])
+            except KeyError:
+                return ""
+
+class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
     """Base class for backends that generate one text-based expression from a Sigma rule"""
     identifier = "base-textquery"
     active = False