Skip to content

Commit

Permalink
chg: separate markdown(supported/unsupported)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fukusuket
fukusuket committed Sep 1, 2024
1 parent 5a279d8 commit d8888c6
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 37 deletions.
63 changes: 35 additions & 28 deletions doc/SupportedSigmaFieldModifiers.md
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,38 @@
| Sigma Count | Hayabusa Count | Field Modifier | Hayabusa Support |
|--------------:|-----------------:|:----------------------|:-------------------|
| 13 | 13 | all | Yes |
| 7 | 11 | base64offsetǀcontains | Yes |
| 34 | 62 | cidr | Yes |
| 2738 | 4512 | contains | Yes |
| 970 | 1653 | containsǀall | Yes |
| 4 | 8 | containsǀallǀwindash | Yes |
| 1 | 0 | containsǀexpand | No |
| 76 | 150 | containsǀwindash | Yes |
| 2893 | 4683 | endswith | Yes |
| 1 | 2 | endswithǀwindash | Yes |
| 8 | 0 | expand | No |
| 165 | 237 | re | Yes |
| 436 | 542 | startswith | Yes |
| 0 | 0 | exists | Yes |
| 0 | 0 | cased | Yes |
| 0 | 0 | reǀi | Yes |
| 0 | 0 | reǀm | Yes |
| 0 | 0 | reǀs | Yes |
| 0 | 0 | base64ǀutf16le | No |
| 0 | 0 | base64ǀutf16be | No |
| 0 | 0 | base64ǀwide | No |
| 0 | 0 | lt | No |
| 0 | 0 | lte | No |
| 0 | 0 | gt | No |
| 0 | 0 | gte | No |
| 0 | 0 | fieldref | No |
# Hayabusa supported field modifiers
| Field Modifier | Sigma Count | Hayabusa Count |
|:----------------------|--------------:|-----------------:|
| all | 13 | 0 |
| base64offsetǀcontains | 7 | 0 |
| cased | 0 | 0 |
| cidr | 34 | 0 |
| contains | 2738 | 9 |
| containsǀall | 970 | 0 |
| containsǀallǀwindash | 4 | 0 |
| containsǀwindash | 76 | 0 |
| endswith | 2893 | 34 |
| endswithfield | 0 | 0 |
| endswithǀwindash | 1 | 0 |
| equalsfield | 0 | 0 |
| exists | 0 | 0 |
| re | 165 | 9 |
| reǀi | 0 | 0 |
| reǀm | 0 | 0 |
| reǀs | 0 | 0 |
| startswith | 436 | 6 |

# Hayabusa unsupported field modifiers
| Field Modifier | Sigma Count | Hayabusa Count |
|:-----------------|--------------:|-----------------:|
| base64ǀutf16be | 0 | 0 |
| base64ǀutf16le | 0 | 0 |
| base64ǀwide | 0 | 0 |
| containsǀexpand | 1 | 0 |
| expand | 8 | 0 |
| fieldref | 0 | 0 |
| gt | 0 | 0 |
| gte | 0 | 0 |
| lt | 0 | 0 |
| lte | 0 | 0 |

Updated: 2024/09/01
Author: Fukusuke Takahashi
27 changes: 18 additions & 9 deletions scripts/supported_modifiers_check/supported-modifier.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ def add_missing_modifiers(counter: Counter) -> Counter:
check_strings = [
'all', 'startswith', 'endswith', 'contains', 'exists', 'cased', 'windash', 're', 're|i', 're|m', 're|s',
'base64', 'base64offset', 'base64|utf16le', 'base64|utf16be', 'base64|utf16', 'base64|wide',
'lt', 'lte', 'gt', 'gte', 'cidr', 'expand', 'fieldref'
'lt', 'lte', 'gt', 'gte', 'cidr', 'expand', 'fieldref', 'equalsfield', 'endswithfield'
]

for key in check_strings:
Expand All @@ -51,6 +51,8 @@ def get_yml_detection_counts(dir_path: str) -> Counter:
contents = ruamel.yaml.YAML().load_all(f)
for content in contents:
if content.get('logsource', {}).get('product') == 'windows':
if content.get('ruletype', "") == "Sigma":
continue
yml_detection_keys.extend(extract_keys_recursive(content.get('detection', {})))
logging.info('Finished processing YAML files')
return add_missing_modifiers(Counter(sorted(yml_detection_keys)))
Expand All @@ -67,24 +69,31 @@ def get_yml_detection_counts(dir_path: str) -> Counter:

sigma_key_counter = get_yml_detection_counts(args.sigma_path)
hayabusa_key_counter = get_yml_detection_counts(args.hayabusa_path)
header = ["Sigma Count", "Hayabusa Count", "Field Modifier", "Hayabusa Support"]
hayabusa_supported = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s"}
header = ["Field Modifier", "Sigma Count", "Hayabusa Count"]
hayabusa_supported = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield'}

result = []
result_supported = []
result_unsupported = []
for k, v in sigma_key_counter.items():
modifiers = [x for x in str(k).split('|') if x]
supported_modifier = all(map(lambda x: True if x in hayabusa_supported else False, modifiers))
supported_modifier = "Yes" if supported_modifier else "No"
supported_modifier = "Yes" if k in hayabusa_supported else supported_modifier
hayabusa_count = hayabusa_key_counter.get(k, 0)
result.append([v, hayabusa_count, k.strip('|').replace('|', 'ǀ'), supported_modifier])
res = [k.strip('|').replace('|', 'ǀ'), v, hayabusa_count]
if supported_modifier == "Yes":
result_supported.append(res)
else:
result_unsupported.append(res)

markdown_str = pd.DataFrame(result, columns=header).to_markdown(index=False)
formatted_datetime = datetime.datetime.now().strftime('%Y/%m/%d')
markdown_str = f"{markdown_str}\n\nUpdated: {formatted_datetime} \nAuthor: Fukusuke Takahashi"
markdown_str = "# Hayabusa supported field modifiers\n"
markdown_str = markdown_str + pd.DataFrame(sorted(result_supported), columns=header).to_markdown(index=False)
markdown_str = markdown_str + "\n\n# Hayabusa unsupported field modifiers\n"
markdown_str = markdown_str + pd.DataFrame(sorted(result_unsupported), columns=header).to_markdown(index=False)
markdown_str = f"{markdown_str}\n\nUpdated: {datetime.datetime.now().strftime('%Y/%m/%d')} \nAuthor: Fukusuke Takahashi"
Path(args.out_path).write_text(markdown_str)

end_time = time.time()
execution_time = end_time - start_time

logging.info(f'Markdown report generated and saved to {args.out_path}')
logging.info(f'Script execution completed in {execution_time:.2f} seconds')

0 comments on commit d8888c6

Please sign in to comment.