Skip to content
This repository has been archived by the owner on Oct 11, 2024. It is now read-only.

Commit

Permalink
config editor rest: minor improvements in sigma rule importer (#313)
Browse files Browse the repository at this point in the history 
* config editor rest: minor improvements in sigma rule importer

* minor fixes

* simplification of normalising name function
  • Loading branch information
@mariannovotny
mariannovotny authored Sep 8, 2021
1 parent 67d7445 commit 046c85c
Show file tree
Hide file tree
Showing 26 changed files with 86 additions and 69 deletions.
4 changes: 2 additions & 2 deletions alerting/alerting-core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
Expand All @@ -35,7 +35,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.adrianwalker</groupId>
Expand Down
4 changes: 2 additions & 2 deletions alerting/alerting-spark/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
Expand All @@ -23,7 +23,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<artifactId>jackson-databind</artifactId>
Expand Down
4 changes: 2 additions & 2 deletions alerting/alerting-storm/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
Expand Down Expand Up @@ -46,7 +46,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand Down
2 changes: 1 addition & 1 deletion alerting/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<modules>
<module>alerting-core</module>
Expand Down
4 changes: 2 additions & 2 deletions config-editor/config-editor-core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
Expand Down
4 changes: 2 additions & 2 deletions ...tor-core/src/main/java/uk/co/gresearch/siembol/configeditor/common/ConfigEditorUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ public class ConfigEditorUtils {
private static final String CONFIG_NAME_FORMAT = "%s.json";
private static final String TEST_CASE_NAME_FORMAT = "%s-%s.json";
private static final String TEST_CASE_NAME_PREFIX = "%s-";
private static final String INVALID_NAME_SEQUENCE_REGEX ="[^a-zA-Z0-9_\\-]+";

static {
Configuration.setDefaults(new Configuration.Defaults() {
Expand Down Expand Up @@ -126,7 +127,6 @@ public static String getTestCaseFileNamePrefix(String configName) {
}

public static String getNormalisedConfigName(String configName) {
return configName.trim().replaceAll(" ", "_");
return configName.trim().replaceAll(INVALID_NAME_SEQUENCE_REGEX, "_");
}

}
18 changes: 9 additions & 9 deletions config-editor/config-editor-rest/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencyManagement>
<dependencies>
Expand Down Expand Up @@ -56,7 +56,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand All @@ -67,22 +67,22 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor-services</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor-sync</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand All @@ -93,7 +93,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>parsing-app</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand All @@ -104,7 +104,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>enriching-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand All @@ -115,7 +115,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>responding-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand Down
20 changes: 10 additions & 10 deletions config-editor/config-editor-services/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,53 +10,53 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting-storm</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>parsing-storm</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>enriching-storm</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>parsing-app</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>enriching-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>responding-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>junit</groupId>
Expand Down
4 changes: 3 additions & 1 deletion ...ain/java/uk/co/gresearch/siembol/configeditor/service/alerts/sigma/SigmaRuleImporter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ public class SigmaRuleImporter implements ConfigImporter {
private static final String ERROR_IMPORT_CONFIG_LOG = "Error during importing sigma rule: {}, " +
"attributes: {}, user:{}, exception: {}";
private static final String ERROR_TOKENS_PARSING = "Problem during parsing of condition tokens";
private static final String RULE_UNKNOWN_FIELD_VALUE = "unknown";

private final String importerAttributesSchema;
private final SiembolJsonSchemaValidator importerAttributesValidator;
Expand Down Expand Up @@ -105,7 +106,8 @@ public ConfigEditorResult importConfig(UserInfo user, String importerAttributes,
private RuleDto createRule(SigmaImporterAttributesDto attributes, Map<String, Object> sigmaRuleMap) throws Exception {
RuleDto ret = new RuleDto();
BeanUtils.copyProperties(ret, attributes.getRuleMetadataMapping());
EvaluationLibrary.substituteBean(ret, sigmaRuleMap);
EvaluationLibrary.substituteBean(ret, sigmaRuleMap, RULE_UNKNOWN_FIELD_VALUE);

ret.setRuleName(ConfigEditorUtils.getNormalisedConfigName(ret.getRuleName()));
return ret;
}
Expand Down
16 changes: 13 additions & 3 deletions ...java/uk/co/gresearch/siembol/configeditor/service/alerts/sigma/SigmaRuleImporterTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public class SigmaRuleImporterTest {
private static String importerAttributes;

/**
* title: Sigma Title
* title: Sigma Title( Experimental???
* id: d06be400-8045-4200-0067-740a2009db25
* status: experimental
* description: Detects secret
Expand Down Expand Up @@ -130,7 +130,7 @@ public void importConfig() throws JsonProcessingException {

RuleDto rule = ALERTING_RULE_READER.readValue(result.getAttributes().getImportedConfiguration());
Assert.assertEquals("siembol", rule.getRuleAuthor());
Assert.assertEquals("based_on_Sigma_Title", rule.getRuleName());
Assert.assertEquals("based_on_Sigma_Title_Experimental_", rule.getRuleName());
Assert.assertEquals("generated from Detects secret and id: d06be400-8045-4200-0067-740a2009db25",
rule.getRuleDescription());
Assert.assertEquals(0, rule.getRuleVersion());
Expand Down Expand Up @@ -187,13 +187,23 @@ public void importConfig() throws JsonProcessingException {
}

@Test
public void importConfigWithCondition1() throws JsonProcessingException {
public void importConfigWithCondition1() {
String rule = sigmaRuleExample.replace("image_path and cmd_c and (cmd_s or not net_utility)",
"(image_path or cmd_c) and (cmd_s or not net_utility)");
ConfigEditorResult result = importer.importConfig(userInfo, importerAttributes, rule);
Assert.assertEquals(OK, result.getStatusCode());
}

@Test
public void importConfigWithUnknownFields() {
String rule = sigmaRuleExample.replace("description:",
"abc:");
ConfigEditorResult result = importer.importConfig(userInfo, importerAttributes, rule);
Assert.assertTrue(result.getAttributes()
.getImportedConfiguration().contains("\"rule_description\" : \"unknown\""));
Assert.assertEquals(OK, result.getStatusCode());
}

@Test
public void importConfigInvalidAttributes() {
ConfigEditorResult result = importer.importConfig(userInfo,
Expand Down
8 changes: 4 additions & 4 deletions config-editor/config-editor-sync/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
Expand All @@ -20,17 +20,17 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>config-editor-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>parsing-app</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion config-editor/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<modules>
<module>config-editor-core</module>
Expand Down
4 changes: 2 additions & 2 deletions deployment/storm-topology-manager/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>
<dependencyManagement>
Expand Down Expand Up @@ -43,7 +43,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand Down
6 changes: 3 additions & 3 deletions enriching/enriching-core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>enriching</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
Expand All @@ -35,12 +35,12 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>siembol-common</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>alerting-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.adrianwalker</groupId>
Expand Down
4 changes: 2 additions & 2 deletions enriching/enriching-storm/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<parent>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>enriching</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
Expand Down Expand Up @@ -62,7 +62,7 @@
<dependency>
<groupId>uk.co.gresearch.siembol</groupId>
<artifactId>enriching-core</artifactId>
<version>1.3.5-SNAPSHOT</version>
<version>1.3.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
Expand Down
Loading

0 comments on commit 046c85c

Please sign in to comment.