theflakes / sigma_to_wazuh

Convert Sigma rules to Wazuh rules
MIT License
58 stars 14 forks source link

More complex logic not parsing correctly #7

Closed theflakes closed 2 years ago

theflakes commented 3 years ago

See: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml

theflakes commented 3 years ago

Improved lexing, but really need to go through a lot of Sigma rules to verify correct parsing. "|" in negations may still be a problem

theflakes commented 3 years ago

Problem parsing: https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file_event/sysmon_webshell_creation_detect.yml https://github.com/SigmaHQ/sigma/blob/master/rules/linux/macos_security_software_discovery.yml https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_lsass_access_non_system_account.yml

theflakes commented 3 years ago

Prob need to start at the beginning for the lexical analysis again. Try using a binary tree and will also need to examine not just the condition statement but also the detection section.