Sigma Rules

This documentation page describes the parsing of Sigma rules and working with Sigma objects resulting from parsed rules.

Parsing

Programatic Construction

Rule Collections

Rule Object Model

SigmaRule

SigmaLogSource

SigmaDetections

SigmaDetection

SigmaDetectionItem

SigmaRuleTag

SigmaLevel

SigmaStatus

Sigma Data Types

SigmaString

class sigma.types.SigmaString(s: Optional[str] = None)

Strings in Sigma detection values containing wildcards.

contains_placeholder(include: Optional[List[str]] = None, exclude: Optional[List[str]] = None) → bool

Check if string contains placeholders and if any placeholder name is

• contained on the include list (if there is one)

• not contained on the include list (if there is one)

It is sufficient that one placeholder matches these conditions. The purpose of this method is to determine if there are placeholders for further processing.

contains_special() → bool

Check if string contains special characters.

convert(escape_char: Optional[str] = '\\', wildcard_multi: Optional[str] = '*', wildcard_single: Optional[str] = '?', add_escaped: str = '', filter_chars: str = '') → str

Convert SigmaString into a query string or pattern. The following parameters allow to change the behavior:

• escape_char: the character used to escape special characters. By default these are only the wildcard characters.

• wildcard_multi and wildcard_single: strings that should be output as wildcards for multiple and single characters.

• add_escaped: characters which are escaped in addition to the wildcards

• filter_chars: characters that are filtered out.

Setting one of the wildcard or multiple parameters to None indicates that this feature is not supported. Appearance of these characters in a string will raise a SigmaValueError.

endswith(val: Union[str, sigma.types.SpecialChars]) → bool

Check if string ends with a given string or special character.

insert_placeholders() → sigma.types.SigmaString

Replace %something% placeholders with Placeholder stub objects that can be later handled by the processing pipeline. This implements the expand modifier.

replace_placeholders(callback: Callable[[sigma.types.Placeholder], Iterator[Union[str, sigma.types.SpecialChars, sigma.types.Placeholder]]]) → List[sigma.types.SigmaString]

Iterate over all placeholders and call the callback for each one. The callback is called with the placeholder instance as argument and yields replacement values (plain strings or SpecialChars instances). Each yielded replacement value is concatenated to the SigmaString prefix before the placeholder and the method is called recursively with the suffix after the placeholder. All placeholder replacements are combined with all returned SigmaString suffixes. Therefore, the callback could be called multiple times with the same placeholder instance and should return the same results to ensure a consistent result.

The callback can return a plain string, a SpecialChars instance (for insertion of wildcards) or a Placeholder (e.g. to keep the placeholder for later processing pipeline items).

startswith(val: Union[str, sigma.types.SpecialChars]) → bool

Check if string starts with a given string or special character.

to_plain()

Return plain string representation of SigmaString, equivalent to converting it with str().

SigmaNumber

class sigma.types.SigmaNumber(number: Union[int, float])

Numeric value type

SigmaBool

class sigma.types.SigmaBool(boolean: bool)

Boolean value type

SigmaNull

class sigma.types.SigmaNull(dummy: Optional[Any] = None)

Empty/none/null value

SigmaRegularExpression

class sigma.types.SigmaRegularExpression(regexp: str)

Regular expression type

compile()

Verify if regular expression is valid by compiling it

escape(escaped: Tuple[str] = (), escape_char: str = '\\') → str

Escape strings from escaped tuple as well as escape_char itself with escape_char.

SigmaCIDRExpression

class sigma.types.SigmaCIDRExpression(cidr: str, source: Optional[sigma.exceptions.SigmaRuleLocation] = None)

CIDR IP address range expression type

convert(join_expr: str, template: str = '{network}', wildcard: Optional[str] = '*') → str

Convert a network into a query expression. This is controlled by the following parameters:

• join_expr: string used to join multiple network wildcard patterns, e.g. logical linking with OR.

• template: resulting pattern is embedded with {network} placeholder in this template. By default the pattern is passed. This can be used to add some annotation/function required by the target query language to handle it as CIDR network.

• wildcard: string used as wildcard character or None if query language can handle CIDR properly.

expand(wildcard: Optional[str] = '*') → List[str]

Convert CIDR range into a list of wildcard patterns or plain CIDR notation. The following parameters allow to change the behavior:

• wildcard: string that should be output as wildcard.

Setting wildcard to None indicates that this feature is not need and the query language handles CIDR notation properly.

SigmaCompareExpression

class sigma.types.SigmaCompareExpression(number: sigma.types.SigmaNumber, op: sigma.types.SigmaCompareExpression.CompareOperators, source: Optional[sigma.exceptions.SigmaRuleLocation] = None)

class CompareOperators(value)

An enumeration.

SigmaQueryExpression

class sigma.types.SigmaQueryExpression(expr: str)

Special purpose type for passing a query part (e.g. list lookups in placeholders) directly into the generated query. The query string may contain a {field} placeholder, which is replaced with the field name contained in the detection item containing the query expression. This is done by the finalize method.

Because this is very specific to the target language, it has to be used in late stages of the conversion process by backend-specific processing pipelines or the backend itself.