Fixes

* Removed Splunk regex query * Added test for sumologic-cse backend
lukiffer · Oct 23, 2020 · 2fb7dd5 · 2fb7dd5
1 parent 9dc8064
commit 2fb7dd5
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 11 deletions.
diff --git a/Makefile b/Makefile
@@ -59,6 +59,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness-epl -c netwitness-epl rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic-cse -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null

diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py
@@ -18,8 +18,6 @@
 import sigma
 from .base import SingleTextQueryBackend
 from .mixins import MultiRuleOutputMixin
-from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
-
 
 class SplunkBackend(SingleTextQueryBackend):
     """Converts Sigma rule into Splunk Search Processing Language (SPL)."""
@@ -70,7 +68,7 @@ def generateAggregation(self, agg):
                     agg.aggfunc_notrans = 'dc'
             return " | eventstats %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition)
 
-        
+
     def generate(self, sigmaparser):
         """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
         columns = list()
@@ -108,7 +106,7 @@ def generate(self, sigmaparser):
                 result += fields
 
             return result
-    
+
 class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
     """Converts Sigma rule into XML used for Splunk Dashboard Panels"""
     identifier = "splunkxml"
@@ -177,9 +175,6 @@ def finalize(self):
 class CrowdStrikeBackend(SplunkBackend):
     """Converts Sigma rule into CrowdStrike Search Processing Language (SPL)."""
     identifier = "crowdstrike"
-    typedValueExpression = {
-        SigmaRegularExpressionModifier: 'regex field=%s "%s"'
-    }
 
     def generate(self, sigmaparser):
         lgs = sigmaparser.parsedyaml.get("logsource")
@@ -215,7 +210,4 @@ def generate(self, sigmaparser):
             raise NotImplementedError("Not supported logsources!")
 
     def generateMapItemTypedNode(self, fieldname, value):
-        if isinstance(value, SigmaRegularExpressionModifier):
-            return self.typedValueExpression.get(type(value)) % (fieldname, value)
-        else:
-            return super().generateMapItemTypedNode(fieldname=fieldname, value=value)
+        return super().generateMapItemTypedNode(fieldname=fieldname, value=value)