git地址:https://github.com/SigmaHQ/sigma/tree/master/tools
tools/sigmac -t es-dsl -c config/elk-defaultindex.yml rules/application/app_sqlinjection_errors.yml
转换结果:
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"multi_match": {
"query": "quoted string not properly terminated",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "You have an error in your SQL syntax",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "Unclosed quotation mark",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "near \"*\": syntax error",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "SELECTs to the left and right of UNION do not have the same number of result columns",
"fields": [],
"type": "phrase"
}
}
]
}
}
}
}
}
-t 转换目标,例如 es-dsl ,将规则转换为es-dsl格式的语句;-c 配置文件;最后的yml文件则是规则文件。
可以添加参数-r ,指定需要转换规则文件夹,则会将文件夹内的规则全部转换,产生的结果是一个列表。
https://uncoder.io/#
sigma规则大部分对应到了ATT&CK,例如 app_python_sql_exceptions.yml 是 t1190。
python3 sigma2attack -d /home/rules/application/, -d指定文件夹
会生成一个heatmap.json 文件,文件内容如下:
{ "domain": "mitre-enterprise", "name": "Sigma rules heatmap", "gradient": { "colors": [ "#ffffff", "#ff6666" ], "maxValue": 5, "minValue": 0 }, "versions": { "navigator": "4.0", "layer": "4.0" }, "techniques": [ { "techniqueID": "T1190", "score": 5, "comment": "app_python_sql_exceptions.yml\napp_sqlinjection_errors.yml\nappframework_django_exceptions.yml\nappframework_ruby_on_rails_exceptions.yml\nappframework_spring_exceptions.yml" } ] }
原文:https://www.cnblogs.com/moonwang/p/14628694.html