From 3b0665e1708d4d1ec00cc2df3b17e4023c395970 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 21 Dec 2024 23:36:05 +0900 Subject: [PATCH] chg: update supported modifier --- doc/SupportedSigmaFieldModifiers.md | 32 ++++++++++--------- .../supported-modifier.py | 6 ++-- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/doc/SupportedSigmaFieldModifiers.md b/doc/SupportedSigmaFieldModifiers.md index 507efd6f3..6a250e700 100644 --- a/doc/SupportedSigmaFieldModifiers.md +++ b/doc/SupportedSigmaFieldModifiers.md @@ -9,6 +9,7 @@ | containsǀall | 978 | 0 | | containsǀallǀwindash | 4 | 0 | | containsǀcased | 0 | 0 | +| containsǀexpand | 1 | 0 | | containsǀwindash | 78 | 0 | | endswith | 2927 | 271 | | endswithfield | 0 | 0 | @@ -16,6 +17,7 @@ | endswithǀwindash | 2 | 0 | | equalsfield | 0 | 0 | | exists | 0 | 0 | +| expand | 9 | 0 | | fieldref | 1 | 1 | | fieldrefǀcontains | 0 | 0 | | fieldrefǀendswith | 0 | 2 | @@ -36,25 +38,25 @@ | wideǀbase64offsetǀcontains | 0 | 0 | # Hayabusa unsupported field modifiers -| Field Modifier | Sigma Count | Hayabusa Count | -|:-----------------|--------------:|-----------------:| -| containsǀexpand | 1 | 0 | -| expand | 9 | 0 | +| Field Modifier | Sigma Count | Hayabusa Count | +|------------------|---------------|------------------| # Hayabusa supported correlation rules -| Correlation Rule | Sigma Count | Hayabusa Count | -|:----------------------------|--------------:|-----------------:| -| event_count | 0 | 0 | -| event_count (with group-by) | 0 | 1 | -| value_count | 0 | 0 | -| value_count (with group-by) | 0 | 2 | +| Correlation Rule | Sigma Count | Hayabusa Count | +|:---------------------------------|--------------:|-----------------:| +| event_count | 0 | 0 | +| event_count (with group-by) | 0 | 1 | +| temporal | 0 | 0 | +| temporal (with group-by) | 0 | 0 | +| temporal_ordered | 0 | 0 | +| temporal_ordered (with group-by) | 0 | 0 | +| value_count | 0 | 0 | +| value_count (with group-by) | 0 | 2 | # Hayabusa un-supported correlations rules -| Correlation Rule | Sigma Count | Hayabusa Count | -|:-------------------------------|--------------:|-----------------:| -| temporal_count | 0 | 0 | -| temporal_count (with group-by) | 0 | 0 | +| Correlation Rule | Sigma Count | Hayabusa Count | +|--------------------|---------------|------------------| This document is being dynamically updated based on the latest rules. -Last Update: 2024/12/19 +Last Update: 2024/12/21 Author: Fukusuke Takahashi \ No newline at end of file diff --git a/scripts/supported_modifiers_check/supported-modifier.py b/scripts/supported_modifiers_check/supported-modifier.py index 290738634..0be3b42db 100644 --- a/scripts/supported_modifiers_check/supported-modifier.py +++ b/scripts/supported_modifiers_check/supported-modifier.py @@ -68,7 +68,7 @@ def get_yml_detection_counts(dir_path: str) -> (Counter, Counter): ] sigma_correlations = [ "value_count", "value_count (with group-by)", "event_count", "event_count (with group-by)", - "temporal_count", "temporal_count (with group-by)" + "temporal", "temporal (with group-by)", "temporal_ordered", "temporal_ordered (with group-by)" ] mod = count_modifiers(Counter(sorted(yml_detection_keys)), sigma_modifiers) cor = count_modifiers(Counter(sorted(yml_correlation_keys)), sigma_correlations) @@ -103,10 +103,10 @@ def categorize_modifiers(sigma_key_counter, hayabusa_key_counter, hayabusa_suppo sigma_mod_counter, sigma_col_counter = get_yml_detection_counts(args.sigma_path) hayabusa_mod_counter, hayabusa_col_counter = get_yml_detection_counts(args.hayabusa_path) - hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref', 'gt', 'gte', 'lt', 'lte', 'utf16', 'utf16be', 'utf16le', 'wide'} + hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "expand", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref', 'gt', 'gte', 'lt', 'lte', 'utf16', 'utf16be', 'utf16le', 'wide'} mod_supported, mod_unsupported = categorize_modifiers(sigma_mod_counter, hayabusa_mod_counter, hayabusa_supported_modifiers) - hayabusa_supported_modifiers = {"event_count", "event_count (with group-by)", "value_count", "value_count (with group-by)"} + hayabusa_supported_modifiers = {"event_count", "event_count (with group-by)", "value_count", "value_count (with group-by)", "temporal", "temporal (with group-by)", "temporal_ordered", "temporal_ordered (with group-by)"} col_supported, col_unsupported = categorize_modifiers(sigma_col_counter, hayabusa_col_counter, hayabusa_supported_modifiers) markdown_str = "# Hayabusa supported field modifiers\n"