Skip to content

Commit

Permalink
Add license header
Browse files Browse the repository at this point in the history
  • Loading branch information
cugu committed May 29, 2020
1 parent abf1a2c commit 70935d2
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 90 deletions.
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
TMPOUT = $(shell tempfile||mktemp)
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma,tools/sigma2attack
export COVERAGE = coverage
test: clearcov test-rules test-sigmac test-merge test-sigma2attack build finish
test: clearcov test-rules test-sigmac test-merge test-backend-sql test-sigma2attack build finish

clearcov:
rm -f .coverage
Expand Down Expand Up @@ -108,6 +108,9 @@ test-merge:
test-backend-es-qs:
tests/test-backend-es-qs.py

test-backend-sql:
pytest tests/test_backend_sql.py tests/test_backend_sqlite.py

test-sigma2attack:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigma2attack

Expand Down
23 changes: 12 additions & 11 deletions tools/sigma/backends/sql.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Output backends for sigmac
# Copyright 2019 Jayden Zheng
# Copyright 2020 Jonas Hagg

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
Expand Down Expand Up @@ -36,7 +37,7 @@ class SQLBackend(SingleTextQueryBackend):
notNullExpression = "%s=*" # Expression of queries for not null values. %s is field name
mapExpression = "%s = %s" # Syntax for field/value conditions. First %s is fieldname, second is value
mapMulti = "%s IN %s" # Syntax for field/value conditions. First %s is fieldname, second is value
mapWildcard = "%s LIKE %s escape \'\\\'"# Syntax for swapping wildcard conditions: Adding \ as escape character
mapWildcard = "%s LIKE %s ESCAPE \'\\\'"# Syntax for swapping wildcard conditions: Adding \ as escape character
mapSource = "%s=%s" # Syntax for sourcetype
mapListsSpecialHandling = False # Same handling for map items with list values as for normal values (strings, integers) if True, generateMapItemListNode method is called with node
mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list
Expand Down Expand Up @@ -87,13 +88,13 @@ def generateMapItemNode(self, node):

has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value))

if "," in self.generateNode(value) and not has_wildcard:
if "," in self.generateNode(value) and not has_wildcard:
return self.mapMulti % (transformed_fieldname, self.generateNode(value))
elif "LENGTH" in transformed_fieldname:
return self.mapLength % (transformed_fieldname, value)
elif type(value) == list:
return self.generateMapItemListNode(transformed_fieldname, value)
elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if has_wildcard:
return self.mapWildcard % (transformed_fieldname, self.generateNode(value))
else:
Expand All @@ -107,7 +108,7 @@ def generateMapItemNode(self, node):

def generateMapItemListNode(self, key, value):
return "(" + (" OR ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")"

def generateValueNode(self, node):
return self.valueExpression % (self.cleanValue(str(node)))

Expand Down Expand Up @@ -144,11 +145,11 @@ def cleanValue(self, val):
#Replace ? with _, if even number of backsashes (or zero) in front of ?
val = re.sub(r"(?<!\\)(\\\\)*(?!\\)\?", r"\1_", val)
return val

def generateAggregation(self, agg, where_clausel):
if not agg:
return self.table, where_clausel

if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT or
agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX or
agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN or
Expand All @@ -161,18 +162,18 @@ def generateAggregation(self, agg, where_clausel):
group_by = ""

if agg.aggfield:
select = "{}({}) AS AGG".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
else:
if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
select = "{}(*) AS AGG".format(agg.aggfunc_notrans)
select = "{}(*) AS agg".format(agg.aggfunc_notrans)
else:
raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans))

temp_table = "(SELECT {} FROM {} WHERE {}{})".format(select, self.table, where_clausel, group_by)
agg_condition = "AGG {} {}".format(agg.cond_op, agg.condition)
agg_condition = "agg {} {}".format(agg.cond_op, agg.condition)

return temp_table, agg_condition

raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans))

def generateQuery(self, parsed):
Expand Down
15 changes: 15 additions & 0 deletions tools/sigma/backends/sqlite.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,18 @@
# Output backends for sigmac
# Copyright 2020 Jonas Hagg

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

from sigma.backends.sql import SQLBackend
from sigma.parser.condition import NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT
Expand Down
Loading

0 comments on commit 70935d2

Please sign in to comment.