Update to use the official pySigma SQLite backend

wagga40 · Dec 29, 2023 · 84d9b14 · 84d9b14
1 parent f511e7c
commit 84d9b14
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 15 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -6,4 +6,4 @@
 	url = https://github.com/SigmaHQ/legacy-sigmatools.git
 [submodule "pySigma-backend-sqlite"]
 	path = pySigma-backend-sqlite
-	url = https://github.com/wagga40/pySigma-backend-sqlite.git
+	url = https://github.com/SigmaHQ/pySigma-backend-sqlite.git
diff --git a/gen_ruleset.py b/gen_ruleset.py
@@ -4,17 +4,25 @@
 from sigma.pipelines.windows import windows_logsource_pipeline, windows_audit_pipeline
 from sigma.processing.resolver import ProcessingPipelineResolver
 
+import multiprocessing as mp
 from pathlib import Path
 import json
 import sys
-import sqlite3
+import functools
 
 # Paths
 rules_path = r"./sigma/rules/windows/"
 ruleset_name_sysmon = "rules_windows_sysmon_pysigma.json"
 ruleset_name_windows = "rules_windows_generic_pysigma.json"
 
+def convert_rule(backend, rule):
+    try: 
+        return backend.convert_rule(rule, "zircolite")[0]
+    except Exception as e:
+        print(e)
+
 def ruleset_generator(name, output_filename, input_rules, pipelines):
+
     print(f'[+] Initialisation ruleset : {name}')
     # Create the pipeline resolver
     piperesolver = ProcessingPipelineResolver()
@@ -32,24 +40,23 @@ def ruleset_generator(name, output_filename, input_rules, pipelines):
         rule_list = list(rules.rglob(pattern))
     else:
         sys.exit(f"Log path {rules} is not a directory")
+
     rule_collection = SigmaCollection.load_ruleset(rule_list)
 
     ruleset = []
 
     print(f'[+] Conversion : {name}')
-    for rule in rule_collection.rules:
-        try:
-            converted_rule = sqlite_backend.convert_rule(rule, "zircolite")[0]
-            rule_as_json = json.loads(converted_rule)
-            ruleset.append(rule_as_json)
-        except Exception as e:
-            print(e)
-
-    ruleset = sorted(ruleset, key=lambda d: d['level']) 
 
+    pool = mp.Pool()
+    ruleset = pool.map(functools.partial(convert_rule, sqlite_backend), rule_collection)
+    pool.close()
+    pool.join()
+
+    ruleset = [rule for rule in ruleset if rule is not None] # Removing empty results
+    ruleset = sorted(ruleset, key=lambda d: d['level']) # Sorting by level
     with open(output_filename, 'w') as outfile:
         json.dump(ruleset, outfile, indent=4, ensure_ascii=True)
 
-ruleset_generator("sysmon", ruleset_name_sysmon, rules_path, [sysmon_pipeline(), windows_logsource_pipeline()])
-ruleset_generator("generic", ruleset_name_windows, rules_path, [windows_audit_pipeline(), windows_logsource_pipeline()])
-
+if __name__ == '__main__':
+    ruleset_generator("sysmon", ruleset_name_sysmon, rules_path, [sysmon_pipeline(), windows_logsource_pipeline()])
+    ruleset_generator("generic", ruleset_name_windows, rules_path, [windows_audit_pipeline(), windows_logsource_pipeline()])
diff --git a/pySigma-backend-sqlite b/pySigma-backend-sqlite
+13 −13		.github/workflows/release.yml
+5 −8		.github/workflows/test.yml
+521 −0		poetry.lock
+6 −5		pyproject.toml
+4 −2		sigma/backends/sqlite/sqlite.py
+4 −3		tests/test_backend_sqlite.py