Sigma Rules¶
This documentation page describes the parsing of Sigma rules and working with Sigma objects resulting from parsed rules.
Parsing¶
Programatic Construction¶
Rule Collections¶
Rule Object Model¶
SigmaRule¶
SigmaLogSource¶
SigmaDetections¶
SigmaDetection¶
SigmaDetectionItem¶
SigmaRuleTag¶
SigmaLevel¶
SigmaStatus¶
Sigma Data Types¶
SigmaString¶
- class sigma.types.SigmaString(s: Optional[str] = None)¶
Strings in Sigma detection values containing wildcards.
- contains_placeholder(include: Optional[List[str]] = None, exclude: Optional[List[str]] = None) bool¶
Check if string contains placeholders and if any placeholder name is
contained on the include list (if there is one)
not contained on the include list (if there is one)
It is sufficient that one placeholder matches these conditions. The purpose of this method is to determine if there are placeholders for further processing.
- contains_special() bool¶
Check if string contains special characters.
- convert(escape_char: Optional[str] = '\\', wildcard_multi: Optional[str] = '*', wildcard_single: Optional[str] = '?', add_escaped: str = '', filter_chars: str = '') str¶
Convert SigmaString into a query string or pattern. The following parameters allow to change the behavior:
escape_char: the character used to escape special characters. By default these are only the wildcard characters.
wildcard_multi and wildcard_single: strings that should be output as wildcards for multiple and single characters.
add_escaped: characters which are escaped in addition to the wildcards
filter_chars: characters that are filtered out.
Setting one of the wildcard or multiple parameters to None indicates that this feature is not supported. Appearance of these characters in a string will raise a SigmaValueError.
- endswith(val: Union[str, sigma.types.SpecialChars]) bool¶
Check if string ends with a given string or special character.
- insert_placeholders() sigma.types.SigmaString¶
Replace %something% placeholders with Placeholder stub objects that can be later handled by the processing pipeline. This implements the expand modifier.
- replace_placeholders(callback: Callable[[sigma.types.Placeholder], Iterator[Union[str, sigma.types.SpecialChars, sigma.types.Placeholder]]]) List[sigma.types.SigmaString]¶
Iterate over all placeholders and call the callback for each one. The callback is called with the placeholder instance as argument and yields replacement values (plain strings or SpecialChars instances). Each yielded replacement value is concatenated to the SigmaString prefix before the placeholder and the method is called recursively with the suffix after the placeholder. All placeholder replacements are combined with all returned SigmaString suffixes. Therefore, the callback could be called multiple times with the same placeholder instance and should return the same results to ensure a consistent result.
The callback can return a plain string, a SpecialChars instance (for insertion of wildcards) or a Placeholder (e.g. to keep the placeholder for later processing pipeline items).
- replace_with_placeholder(regex: Pattern, placeholder_name: str) sigma.types.SigmaString¶
Replace all occurrences of string part matching regular expression with placeholder.
- Parameters
regex (Pattern) – regular expression that should be matched.
placeholder_name (str) – name of placeholder that should be inserted.
- Returns
Returns a string with the replacement placeholders.
- Return type
- startswith(val: Union[str, sigma.types.SpecialChars]) bool¶
Check if string starts with a given string or special character.
- to_plain()¶
Return plain string representation of SigmaString, equivalent to converting it with str().
SigmaNumber¶
- class sigma.types.SigmaNumber(number: Union[int, float])¶
Numeric value type
SigmaBool¶
- class sigma.types.SigmaBool(boolean: bool)¶
Boolean value type
SigmaNull¶
- class sigma.types.SigmaNull(dummy: Optional[Any] = None)¶
Empty/none/null value
SigmaRegularExpression¶
SigmaCIDRExpression¶
- class sigma.types.SigmaCIDRExpression(cidr: str, source: Optional[sigma.exceptions.SigmaRuleLocation] = None)¶
CIDR IP address range expression type
- convert(join_expr: str, template: str = '{network}', wildcard: Optional[str] = '*') str¶
Convert a network into a query expression. This is controlled by the following parameters:
join_expr: string used to join multiple network wildcard patterns, e.g. logical linking with OR.
template: resulting pattern is embedded with {network} placeholder in this template. By default the pattern is passed. This can be used to add some annotation/function required by the target query language to handle it as CIDR network.
wildcard: string used as wildcard character or None if query language can handle CIDR properly.
- expand(wildcard: Optional[str] = '*') List[str]¶
Convert CIDR range into a list of wildcard patterns or plain CIDR notation. The following parameters allow to change the behavior:
wildcard: string that should be output as wildcard.
Setting wildcard to None indicates that this feature is not need and the query language handles CIDR notation properly.
SigmaCompareExpression¶
- class sigma.types.SigmaCompareExpression(number: sigma.types.SigmaNumber, op: sigma.types.SigmaCompareExpression.CompareOperators, source: Optional[sigma.exceptions.SigmaRuleLocation] = None)¶
- class CompareOperators(value)¶
An enumeration.
SigmaQueryExpression¶
- class sigma.types.SigmaQueryExpression(expr: str)¶
Special purpose type for passing a query part (e.g. list lookups in placeholders) directly into the generated query. The query string may contain a {field} placeholder, which is replaced with the field name contained in the detection item containing the query expression. This is done by the finalize method.
Because this is very specific to the target language, it has to be used in late stages of the conversion process by backend-specific processing pipelines or the backend itself.