git地址:https://github.com/SigmaHQ/sigma/tree/master/tools
1、使用方法:
tools/sigmac -t es-dsl -c config/elk-defaultindex.yml rules/application/app_sqlinjection_errors.yml
轉換結果:
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"multi_match": {
"query": "quoted string not properly terminated",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "You have an error in your SQL syntax",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "Unclosed quotation mark",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "near \"*\": syntax error",
"fields": [],
"type": "phrase"
}
},
{
"multi_match": {
"query": "SELECTs to the left and right of UNION do not have the same number of result columns",
"fields": [],
"type": "phrase"
}
}
]
}
}
}
}
}
-t 轉換目標,例如 es-dsl ,將規則轉換為es-dsl格式的語句;-c 配置文件;最后的yml文件則是規則文件。
可以添加參數-r ,指定需要轉換規則文件夾,則會將文件夾內的規則全部轉換,產生的結果是一個列表。
2、sigma轉換工具
https://uncoder.io/#
3、sigma生成att&ck
sigma規則大部分對應到了ATT&CK,例如 app_python_sql_exceptions.yml 是 t1190。
python3 sigma2attack -d /home/rules/application/, -d指定文件夾
會生成一個heatmap.json 文件,文件內容如下:
{ "domain": "mitre-enterprise", "name": "Sigma rules heatmap", "gradient": { "colors": [ "#ffffff", "#ff6666" ], "maxValue": 5, "minValue": 0 }, "versions": { "navigator": "4.0", "layer": "4.0" }, "techniques": [ { "techniqueID": "T1190", "score": 5, "comment": "app_python_sql_exceptions.yml\napp_sqlinjection_errors.yml\nappframework_django_exceptions.yml\nappframework_ruby_on_rails_exceptions.yml\nappframework_spring_exceptions.yml" } ] }