forked from branchnetconsulting/wazuh-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
import-sigwah
46 lines (42 loc) · 3.03 KB
/
import-sigwah
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/bash
#
# import-sigwah written by Kevin Branch
#
# ********************
# *** EXPERIMENTAL ***
# ********************
#
# Build a single local Wazuh rule file called sigwah.xml derived from the translated/curated Sigma rules from SanWieb.
# Transform the sysmon related rules to use <if_sid> instead of <if_group> to prevent rule tree explosion.
#
# Thanks to the Sigma (https://neo23x0.github.io/sigma/) and sigWah projects (https://github.com/SanWieb/sigWah) for the great work!
#
# Non-sysmon sigWah rules are presently disabled by this script because they need to be made children of specific parent rules
# rather than use <if_group>windows</if_group> which causes a 6000% increase in the size of the Wazuh internal rule tree.
#
rm -rf sigWah
git clone https://github.com/SanWieb/sigWah.git
cd sigWah
echo '<group name="sigma,">' > /var/ossec/etc/rules/sigwah.xml
( find ./ossec-rules -name "*.xml" -exec cat {} \; ; ) >> /var/ossec/etc/rules/sigwah.xml
echo '</group>' >> /var/ossec/etc/rules/sigwah.xml
# Transform the sysmon-specific sigWah files to be children of specific parent rules.
sed -i 's/<if_group>sysmon_event1<\/if_group>/<if_sid>61603<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event2<\/if_group>/<if_sid>61604<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event3<\/if_group>/<if_sid>61605<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event4<\/if_group>/<if_sid>61606<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event5<\/if_group>/<if_sid>61607<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event6<\/if_group>/<if_sid>61608<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event7<\/if_group>/<if_sid>61609<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event8<\/if_group>/<if_sid>61610<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event9<\/if_group>/<if_sid>61611<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event_10<\/if_group>/<if_sid>61612<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event_11<\/if_group>/<if_sid>61613<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event_12<\/if_group>/<if_sid>61614<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event_13<\/if_group>/<if_sid>61615<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event_14<\/if_group>/<if_sid>61616<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
sed -i 's/<if_group>sysmon_event_15<\/if_group>/<if_sid>61617<\/if_sid>/' /var/ossec/etc/rules/sigwah.xml
# This intentionally breaks all of the non-sysmon Sigma rules. They need to be hung off of specific parents.
# To leave the "<if_group>windows</if_group>" intact on the sigma rules results in analysisd being bogged down
# with an extra 200000+ rules are reported by "Total rules enabled" in ossec.log
sed -i 's/<if_group>windows<\/if_group>/<decoded_as>windows_eventchannel<\/decoded_as>/g' /var/ossec/etc/rules/sigwah.xml