Sigma rule processing and conversion tools
Project description
pySigma
pySigma is a python library that parses and converts Sigma rules into queries.
It replaces a lot of the logic found in the sigmac tool, and brings it into a modern Python library. For a CLI version of the new Sigma tool, see (TBA).
Getting Started
To start using pySigma, install it using your python package manager of choice. Documentation with
some usage examples can be found here.
Poetry:
poetry add git+https://github.com/SigmaHQ/pySigma.git#main
Pipenv:
pipenv install git+https://github.com/SigmaHQ/pySigma.git#egg=pysigma
Features
pySigma brings a number of additional features over sigmac, as well as some changes.
Modifier compare from sigmac
| Modifier | Use | sigmac legacy |
|---|---|---|
| contains | the value is matched anywhere in the field (strings and regular expressions) | X |
| startswith | The value is expected at the beginning of the field's content (strings and regular expressions) | X |
| endswith | The value is expected at the end of the field's content (strings and regular expressions) | X |
| base64 | The value is encoded with Base64 | X |
| base64offset | If a value might appear somewhere in a base64-encoded value the representation might change depending on the position in the overall value | X |
| wide | transforms value to UTF16-LE encoding | X |
| re | value is handled as regular expression by backends | X |
| cidr | value is handled as a IP CIDR by backends | |
| all | This modifier changes OR logic to AND | X |
| lt | Field is less than the value | |
| lte | Field is less or egal than the value | |
| gt | Field is Greater than the value | |
| gte | Field is Greater or egal than the value | |
| expand | Modifier for expansion of placeholders in values. It replaces placeholder strings (%something%) |
Overview
Conversion Overview
Pipelines
More details are described in the documentation.
Testing
To run the pytest suite for pySigma, run the following command:
make test
Contributing
Pull requests are welcome. Please feel free to lodge any issues/PRs as discussion points.
Authors
- Thomas Patzke thomas@patzke.org
Licence
GNU Lesser General Public License v2.1. For details, please see the full license file located here.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pySigma-0.1.7.tar.gz.
File metadata
- Download URL: pySigma-0.1.7.tar.gz
- Upload date:
- Size: 49.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.0 CPython/3.8.12 Linux/5.11.0-1028-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4c6f6419e9c357f209c2c77e4e0638a047ea3faad6a361a81bf645abe52c13bd
|
|
| MD5 |
e293d2407f409b52e5f050c6a52f6bb3
|
|
| BLAKE2b-256 |
ca212f0c88203eb250b88e4dbf15eb9a4b0b3a7261ea7d2551860619ccc5c0fd
|
File details
Details for the file pySigma-0.1.7-py3-none-any.whl.
File metadata
- Download URL: pySigma-0.1.7-py3-none-any.whl
- Upload date:
- Size: 55.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.0 CPython/3.8.12 Linux/5.11.0-1028-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3401b58bd1152f3997890f63ceb0b4e296667078454368ad14107c53c23dbffd
|
|
| MD5 |
5def6138be8e4e2279edd50538987986
|
|
| BLAKE2b-256 |
7d444ccad95741c28b52c203fbbbcab5ab02c63da6492726589b8ced07e40632
|
