-
Notifications
You must be signed in to change notification settings - Fork 3
/
ChopChopGo_rules.yaml
146 lines (122 loc) · 4.17 KB
/
ChopChopGo_rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Preamble: |
name: Linux.ChopChopGo.Rules
parameters:
- name: ROOT
description: The Event Log Directory we use to read all logs
default: /var/log/
- name: Debug
type: bool
description: Enable full debug trace
- name: RuleLevel
type: choices
default: All
choices:
- Critical
- Critical and High
- All
- name: DefaultYear
description: The Default year for parsing Syslog timestamps (default current year)
- name: RuleStatus
type: choices
default: All Rules
choices:
- Stable
- Stable and Experimental
- Stable and Test
- All Rules
- name: RuleTitleFilter
type: regex
default: .
description: Use this to filter only some rules to match
- name: SigmaRules
description: If provided we use these rules instead of the built in set.
sources:
- query: |
LET RuleStatusRegex <= get(item=dict(
`Stable`="stable",
`Stable and Experimental`="stable|experimental",
`Stable and Test`="stable|test",
`All Rules`="."), member=RuleStatus)
LET RuleLevelRegex <= get(item=dict(
Critical="critical",
`Critical and High`="critical|high",
`All`="."), member=RuleLevel)
LET ParseLogFile(Filter, ROOT) =
SELECT OSPath, Line FROM foreach(row={
SELECT OSPath FROM glob(globs="*", root=ROOT)
WHERE OSPath.Basename =~ Filter
}, query={
SELECT OSPath, Line
FROM parse_lines(filename=OSPath)
})
LET DefaultYear <= format(format=" %v", args=DefaultYear || timestamp(epoch=now()).Year)
FieldMappings:
Image: x=>x.Process.exe
exe: x=>x.Process.exe
TargetFilename: x=>x.File.path
name: x=>x.Process.exe
CommandLine: x=>x.Process.title
# Auditd based rules
a0: x=>x.Process.args[0]
a1: x=>x.Process.args[1]
a2: x=>x.Process.args[2]
a3: x=>x.Process.args[3]
a4: x=>x.Process.args[4]
a5: x=>x.Process.args[5]
a6: x=>x.Process.args[6]
a7: x=>x.Process.args[7]
type: x=>if(condition=x.Summary.action =~ "exec", then="EXECVE")
comm: x=>x.Process.name
nametype: x=>x.Paths.nametype
syscall: x=>x.Data.syscall
DefaultDetails:
Query: x=>x.Line
Lookup:
A: x=>x.Line
Sources:
"*/linux/*":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|syslog|secure")
"*/linux/sshd":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
WHERE Line =~ "sshd"
"*/linux/cron":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="syslog")
WHERE Line =~ "cron"
"*/linux/auth":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
"*/linux/syslog":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="syslog")
"*/linux/sudo":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
WHERE Line =~ "sudo:"
"*/linux/sudo":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
WHERE Line =~ "sudo:"
"*/linux/auditd":
query: |
SELECT * FROM ParseLogFile(ROOT=ROOT + "/auditd", Filter="auth.log|secure")
"process_creation/linux/*":
query: |
SELECT * FROM parse_auditd(filename=ROOT + '/audit/audit.log')
QueryTemplate: |
LET Rules <= SigmaRules || gunzip(string=base64decode(string="{{.Base64CompressedRules}}"))
LET FieldMapping <= parse_json(data=gunzip(string=base64decode(string="{{.Base64FieldMapping}}")))
LET DefaultDetails <= parse_json(data=gunzip(string=base64decode(string="{{.Base64DefaultDetailsLookup}}")))
LET X = scope()
LET ParseTimestamp(Line) = grok(grok="%{SYSLOGTIMESTAMP:timestamp}", data=Line)
SELECT X.Timestamp || timestamp(string=ParseTimestamp(Line=Line).timestamp + DefaultYear) AS Timestamp, *
FROM sigma(
rules=split(string= Rules, sep_string="\n---\n"),
log_sources= LogSources, debug=Debug,
default_details="{{.Base64DefaultDetailsQuery}}",
rule_filter="x=>x.Level =~ RuleLevelRegex AND x.Status =~ RuleStatusRegex AND x.Title =~ RuleTitleFilter",
field_mapping= FieldMapping)
RuleDirectories:
- ChopChopGo/rules/linux/