search

Yamato-Security / sigma-to-hayabusa-converter

Documentation and tools to curate Sigma rules for Windows event logs into easier to parse rules.
GNU General Public License v3.0
2 stars 0 forks source link

feat: add ignore-uuid-list.txt #1

Closed fukusuket closed 2 months ago

fukusuket commented 2 months ago

What Changed

Related https://github.com/Yamato-Security/sigma-to-hayabusa-converter/issues/6

% poetry run python sigma-to-hayabusa-converter.py -r ../sigma -o ./converted_sigma_rules_org  # before fix
% poetry run python sigma-to-hayabusa-converter.py -r ../sigma -o ./converted_sigma_rules
% diff -r converted_sigma_rules converted_sigma_rules_org 
Only in converted_sigma_rules_org/builtin/powershell/powershell_classic: posh_pc_tamper_windows_defender_set_mp.yml
...
[ERROR:sigma-to-hayabusa-converter.py:547] Error while converting rule [../sigma/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml]: This rule has UUIDs to be excluded [ec19ebab-72dc-40e1-9728-4c0b805d722c]. Conversion skipped.
[ERROR:sigma-to-hayabusa-converter.py:322] Error while converting rule [../sigma/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml]: This rule has incompatible field: {'process_creation': {'EventID': 4688, 'Channel': 'Security'}, 'system_utility': {'NewProcessName|startswith': ['C:\\Windows\\System32\\', 'C:\\Windows\\SysWOW64\\']}, 'parent_is_settingsynchost

I would appreciate it if you could check it out when you have time🙏

YamatoSecurity commented 2 months ago

@fukusuket Thanks for the quick fix! We should probably also ignore 

title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2

Is it possible to add comments to the text file so we don't have to look up what rules they are. For example:

# These rules are ignored because they have keywords that cause false positives for Windows Defender
ec19ebab-72dc-40e1-9728-4c0b805d722c # Tamper Windows Defender - PSClassic
14c71865-6cd3-44ae-adaa-1db923fae5f2 # Tamper Windows Defender - ScriptBlockLogging
fukusuket commented 2 months ago

@YamatoSecurity Thank you so much for checking :) I updated!

% poetry run python sigma-to-hayabusa-converter.py -r ../sigma -o ./converted_sigma_rules
...
% diff -r converted_sigma_rules converted_sigma_rules_org                                
Only in converted_sigma_rules_org/builtin/powershell/powershell_classic: posh_pc_tamper_windows_defender_set_mp.yml
Only in converted_sigma_rules_org/builtin/powershell/powershell_script: posh_ps_tamper_windows_defender_set_mp.yml