Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for reading rules from standard input #21

Closed
ali-saad-jaffer opened this issue Apr 21, 2023 · 7 comments
Closed

Support for reading rules from standard input #21

ali-saad-jaffer opened this issue Apr 21, 2023 · 7 comments
Labels
enhancement New feature or request

Comments

@ali-saad-jaffer
Copy link

Hi,

Are there any plans to add support for reading rules from standard input?

I have a wrapper built in nodejs that is currently using sigmac for rule conversion
@signus
Copy link

signus commented Apr 25, 2023

I'm unsure of the roadmap of the project, but this can be a potential enhancement.

I would assume this would be for both the check and convert commands? It would be useful to provide examples of expected function when submitting an issue. A wrapper in NodeJS provides an example of how people are currently utilizing sigmac, but not how stdin is currently being used.

Checking the current functionality with some debug print statements:

check stdin can be passed, but is not processed by the click() option.

(sigma-cli-py3.11) ❯❯❯❯ cat rules/windows/process_creation/certutil_susp_download.yml | sigma check                                                                                                          
DEBUG: input: ()
Parsing Sigma rules  [####################################]  100%
Checking Sigma rules  [####################################]  100%

=== Summary ===
Found 0 errors, 0 condition errors and 0 issues.
No rule errors found.
No condition errors found.
No validation issues found.

convert does not process with a stdin path piped to it.

@signus signus mentioned this issue Apr 25, 2023
Closed
@thomaspatzke
Copy link
Member

Hi!

Are there any plans to add support for reading rules from standard input?

At least it's not on my todo list, but feel free to implement 😉

Click by itself supports this behavior, but I've chosen a different path because usually a directory is given to the CLI with the intention to convert its whole content. The load_rules() function implements the file path handling

@thomaspatzke thomaspatzke added the enhancement New feature or request label Apr 26, 2023
@signus
Copy link

signus commented Apr 27, 2023

image

Thanks @thomaspatzke, I'll take a shot at this one and add some notes.

Notably it appears that some modifications will have to be made where both the input or the stdin Path can be a single file or the directory path for the rules, as presently specifying a single rule file processes normally even though it should fail the check.

thomaspatzke added a commit that referenced this issue Apr 29, 2023
@thomaspatzke
Reading from stdin with "-" as file name
80121f5 
Implements #21
@thomaspatzke
Copy link
Member

Implemented! It will be contained in the next release.

@signus
Copy link

signus commented Apr 30, 2023

Man, you're quick! Do you classify as human? :D

Thank you for your work!

@ali-saad-jaffer
Copy link
Author

Thanks @thomaspatzke

@thomaspatzke
Copy link
Member

Just released in v0.7.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thomaspatzke @signus @ali-saad-jaffer