Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Final Changes #139

Merged
merged 32 commits into from
Aug 6, 2024
Merged
Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
a471214
rename
nasbench Aug 4, 2024
addb8ee
more updates
nasbench Aug 4, 2024
af96972
Update appendix_tags.md
nasbench Aug 4, 2024
0a14ddb
remove config
nasbench Aug 4, 2024
5372368
Update appendix_tags.md
nasbench Aug 4, 2024
050b0d4
typo fixes
nasbench Aug 4, 2024
d66bdc1
rename files
nasbench Aug 4, 2024
85e93a5
updates
nasbench Aug 4, 2024
cb1e1f1
Update sigma-rules-specification.md
nasbench Aug 4, 2024
30d77bc
even more updates
nasbench Aug 4, 2024
5ede4c4
Update README.md
nasbench Aug 4, 2024
2549a20
Update README.md
nasbench Aug 4, 2024
1ba1521
Update README.md
nasbench Aug 4, 2024
a08a6bc
updates
nasbench Aug 5, 2024
4ea41da
Update sigma-taxonomy-appendix.md
nasbench Aug 5, 2024
3c3bf28
final updates
nasbench Aug 5, 2024
599518a
small update
nasbench Aug 5, 2024
3515243
folder change
nasbench Aug 5, 2024
16d95c3
Update sigma-modifiers-appendix.md
nasbench Aug 5, 2024
77b23f5
fix: some fixes
Neo23x0 Aug 5, 2024
7df2fb8
Update appendix/sigma-modifiers-appendix.md
nasbench Aug 5, 2024
ad5ca76
Update sigmahq/sigmahq-title-convention.md
nasbench Aug 5, 2024
9cb652a
Update sigmahq-filename-convention.md
nasbench Aug 5, 2024
b1f6855
Update sigma-correlation-rules-specification.md
nasbench Aug 5, 2024
32a7540
Update appendix/sigma-modifiers-appendix.md
nasbench Aug 5, 2024
28356a6
Update sigma-modifiers-appendix.md
nasbench Aug 5, 2024
07cdebc
Update sigma-modifiers-appendix.md
nasbench Aug 5, 2024
add661e
Update version-2-changes.md
nasbench Aug 5, 2024
e3d9af5
Update sigma-correlation-rules-specification.md
Neo23x0 Aug 5, 2024
6552cfb
Merge branch 'final_changes' of https://github.com/nasbench/sigma-spe…
Neo23x0 Aug 5, 2024
2ed4f1d
Update appendix/sigma-modifiers-appendix.md
nasbench Aug 5, 2024
f501bfa
Update sigmahq-title-convention.md
nasbench Aug 6, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 0 additions & 50 deletions .github/workflows/jekyll-gh-pages.yml

This file was deleted.

76 changes: 54 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,34 +1,66 @@
# Sigma-Specification
# Sigma Specification - Generic Signature Format for SIEM Systems

This repository is used to maintain the specification for the Sigma format.
<a href="https://sigmahq.io/">
<p align="center">
<br />
<picture>
<source media="(prefers-color-scheme: dark)" srcset="./media/images/sigma_logo_dark.png">
<img width="454" alt="Sigma Logo" src="./media/images/sigma_logo_light.png">
</picture>
</p>
</a>
<br />

[Web version](https://sigmahq.github.io/sigma-specification/)
<p align="center">
<a href="https://sigmahq.io/"><img src="https://cdn.jsdelivr.net/gh/SigmaHQ/sigmahq.github.io@master/images/Sigma%20Official%20Badge.svg" alt="Sigma Official Badge"></a> <img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/SigmaHQ/sigma-specification">
<br />
<a href="https://opensourcesecurityindex.io/" target="_blank" rel="noopener">
<img style="width: 170px;" src="https://opensourcesecurityindex.io/badge.svg" alt="Open Source Security Index - Fastest Growing Open Source Security Projects" width="170" />
</a>
</p>

## Version Management
Welcome to the official Sigma Specification repository.

The version number is in the form of 3 digits 'A.B.C':
## A Quick Rundown

- 'A' A major version that could break existing converters
- 'B' A minor version with additions or modifications of functionality affecting but not breaking the converters
- 'C' Reorganization of section, addition of examples etc.
Here's what you can expect from each of the main subfolders within this repo. Please take a minute to educate yourself!

## Current Version
### Specification

The Sigma rules format specifications is described in the file [Sigma_specification](Sigma_specification.md)
The Sigma Meta rules format specifications is described in the file [Sigma_meta_rules](Sigma_meta_rules.md)
The Sigma Meta filter format specifications is described in the file [Sigma_meta_filter](Sigma_meta_filter.md)
[Specification](./specification/) will contain markdown files describing the Sigma specification format in details.

There exists other files in the repository to describe the different modifiers, fields and tags to be used in Sigma rules:
* [Sigma Rules Specification](./specification/sigma-rules-specification.md) - Describes what constitute a Sigma rule.
* [Sigma Correlation Specification](./specification/sigma-correlation-rules-specification.md) - Describes the Sigma correlation format.
* [Sigma Filters Specification](./specification/sigma-filters-specification.md) - Described the Sigma filters format.

- [appendix_modifier](appendix/appendix_modifier.md) is a document that defines the different modifiers that can be used in a Sigma rule.
- [appendix_tags](appendix/appendix_tags.md) is a document that defines the standardized tags that can be used to categorize the different Sigma rules.
- [appendix_taxonomy](appendix/appendix_taxonomy.md) is a document that defines the different field names and log sources that should be used to ensure sharable rules.
### JSON Schema

## SigmaHQ
[Json-Schema](./json-schema/) will contain a list of JSON schemas for the following.

The following files are not part of the sigma specification.
They are only helpers for the management of the main [rule repository](https://github.com/SigmaHQ/sigma/tree/master/rules) under SigmaHQ
* [Sigma Rules](/json-schema/sigma-detection-rule-schema.json)
* [Sigma Correlation Rules](/json-schema/sigma-correlation-rules-schema.json)
* [Sigma Filters](/json-schema/sigma-filters-schema.json)

[SigmaHQ Filename Normalisation](/sigmahq/Sigmahq_filename_rule.md)
[SigmaHQ Rule Conventions](/sigmahq/sigmahq_conventions.md)
[SigmaHQ Title Normalisation](/sigmahq/sigmahq_title_rule.md)
### Appendix

[Appendix](./appendix/) will contain additional files providing additional details to certain fields of a Sigma rule

* [Sigma Modifiers Appendix](appendix/sigma-modifiers-appendix.md) is a document that defines the different modifiers that can be used in a Sigma rule.
* [Sigma Tags Appendix](appendix/sigma-tags-appendix.md) is a document that defines the tags namespaces that can be used to categorize the different Sigma rules.
* [Sigma Taxonomy Appendix](appendix/sigma-taxonomy-appendix.md) is a document that defines the different field names and log sources that are currently supported by SigmaHQ in order to ensure sharable rules.

### SigmaHQ

[SigmaHQ](./sigmahq/) will contain markdown files that describe rules and recommendations that are applied to the rules hosted in SigmaHQ main rule repository.

> **Note**
>
> The SigmaHQ folder and the files contains within are not part of the sigma specification. They are there to ensure and easier management of the rules hosted in the main [rule repository](https://github.com/SigmaHQ/sigma/tree/master/rules)

* [SigmaHQ Rule Convention](/sigmahq/sigmahq-rule-convention.md)
* [SigmaHQ Filename Convention](/sigmahq/sigmahq-filename-convention.md)
* [SigmaHQ Title Convention](/sigmahq/sigmahq-title-convention.md)

## Version 2 Changes

You can read more on the potential breaking changes and additional features introduced in version 2.0.0 of the specification [here](./other/version-2-changes.md)
27 changes: 0 additions & 27 deletions V2_changes.md

This file was deleted.

46 changes: 0 additions & 46 deletions _config.yml

This file was deleted.

175 changes: 87 additions & 88 deletions appendix/appendix_modifier.md → appendix/sigma-modifiers-appendix.md
Original file line number Diff line number Diff line change
@@ -1,88 +1,87 @@
# Modifiers <!-- omit in toc -->

The following document defines the standardized modifiers that can be used in Sigma.

* Version 2.0.0
* Release date 2024-01-01

## Summary
- [Summary](#summary)
- [General](#general)
- [String only](#string-only)
- [Numeric only](#numeric-only)
- [Ip only](#ip-only)
- [String Encoding](#string-encoding)
- [Specific](#specific)
- [History](#history)


## General

* `all`: Normally, lists of values are linked with *OR* in the generated query. This modifier
changes this to *AND*. This is useful if you want to express a command line invocation with different
parameters where the order may vary and removes the need for some cumbersome workarounds.

Single item values are not allowed to have an `all` modifier as some back-ends cannot support it.
If you use it as a workaround to duplicate a field in a selection, use a new selection instead.

* `startswith`: The value is expected at the beginning of the field's content. (replaces e.g. 'adm*')
* `endswith`: The value is expected at the end of the field's content (replaces e.g. '*\cmd.exe')
* `contains`: Puts `*` wildcards around the values, such that the value is matched anywhere in the
field.

* `exists`: Defines that a certain field has to exist or must not exist in a log event by providing a boolean value.
* `cased`: Values are applied case sensitively. Default Sigma behaviour is case-insensitive matching.

### String only

* `windash`: Creates all possible permutations of the `-` and `/` characters. Windows command line flags can often be indicated by both characters. Using the `windash` modifier converts `-` values into `/` and vice versa and uses all possible permutation of strings in the selection.
* `re`: Value is handled as a regular expression by backends. Regex is matched case-sensitive by default
* `i`: (insensitive) `re` sub-modifier to enable case-sensitive matching.
* `m`: (multi line) `re` sub-modifier to match across multiple lines. `^` /`$` match the start/end of line.
* `s`: (single line) `re` sub-modifier to enable that dot (`.`) matches all characters, including the newline character.


### Numeric only

* `lt`: Field is less than the value
* `lte`: Field is less or equal than the value
* `gt`: Field is greater than the value
* `gte`: Field is greater or equal than the value


### Ip only

* `cidr`: The value is handled as an CIDR by backends


### String Encoding

* `base64`: The value is encoded with Base64.
* `base64offset`: If a value might appear somewhere in a base64-encoded string the representation
might change depending on the position of the value in the overall string. There are three variants for shifts
by zero to two bytes and except the first and last byte the encoded values have a static part in
the middle that can be recognized.

* `utf16le`: Transforms value to UTF16-LE encoding, e.g. `cmd` > `63 00 6d 00 64 00` (only used in combination with base64 modifiers)
* `utf16be`: Transforms value to UTF16-BE encoding, e.g. `cmd` > `00 63 00 6d 00 64` (only used in combination with base64 modifiers)
* `wide`: Alias for `utf16le` modifier
* `utf16`: Prepends a [byte order mark](https://en.wikipedia.org/wiki/Byte_order_mark) and encodes UTF16, e.g. `cmd` > `FF FE 63 00 6d 00 64 00` (only used in combination with base64 modifiers)


## Specific

* `expand`: Modifier for expansion of placeholders in values. The final behavior of the replacement is determined by processing pipeline transformations. Current possibilities in pySigma are:
* Expand to value list (`ValueListPlaceholderTransformation`/`value_placeholders`)
* Replace with query expression in target query language (`QueryExpressionPlaceholderTransformation`/`query_expression_placeholders`)
* Replace placeholder with wildcard `*`, which should only be used as last resort. (`WildcardPlaceholderTransformation`/`wildcard_placeholders`)

* `fieldref`: Modifies a plain string into a field reference. A field reference can be used to compare fields of matched
events directly at query/matching time.

## History
* 2023-05-27
* Update from PySigma 0.7.6
* Add `fieldref`
* 2023-05-21 v1.0.3
* Creation of the file
* 2017 Sigma creation
# Modifiers <!-- omit in toc -->

The following document defines the standardized modifiers that can be used in Sigma.

* Version 2.0.0
* Release date 2024-08-12

## Summary
- [Summary](#summary)
- [General](#general)
- [String only](#string-only)
- [Numeric only](#numeric-only)
- [Ip only](#ip-only)
- [String Encoding](#string-encoding)
- [Specific](#specific)
- [History](#history)

## General

* `all`: Normally, lists of values are linked with *OR* in the generated query. This modifier
changes this to *AND*. This is useful if you want to express a command line invocation with different
parameters where the order may vary and removes the need for some cumbersome workarounds.

Single item values are not allowed to have an `all` modifier as some back-ends cannot support it.
If you use it as a workaround to duplicate a field in a selection, use a new selection instead.

* `startswith`: The value is expected at the beginning of the field's content. (replaces e.g. 'adm*')
* `endswith`: The value is expected at the end of the field's content (replaces e.g. '*\cmd.exe')
* `contains`: Puts `*` wildcards around the values, such that the value is matched anywhere in the
field.

* `exists`: Defines that a certain field has to exist or must not exist in a log event by providing a boolean value. Note that this check only verifies the presence of a field, not its value, be it empty or null.
* `cased`: Values are applied case sensitively. Default Sigma behavior is case-insensitive matching.

### String only

* `windash`: Creates all possible permutations of the `-`, `/`, `–` (en dash), `—` (em dash), and `―` (horizontal bar) characters. Windows command line flags can often be indicated by both characters. Using the `windash` modifier converts the aforementioned characters interchangeably and uses all possible permutation of strings in the selection.

* `re`: Value is handled as a regular expression by backends. Regex is matched case-sensitive by default
* `re` sub-modifiers:
* `i`: (insensitive) to enable case-sensitive matching.
* `m`: (multi line) to match across multiple lines. `^` /`$` match the start/end of line.
* `s`: (single line) to enable that dot (`.`) matches all characters, including the newline character.

### Numeric only

* `lt`: Field is less than the value
* `lte`: Field is less or equal than the value
* `gt`: Field is greater than the value
* `gte`: Field is greater or equal than the value

### Ip only

* `cidr`: The value is handled as an CIDR by backends. Supports both IPv4 and IPv6 notations.

### String Encoding

* `base64`: The value is encoded with Base64.
* `base64offset`: If a value might appear somewhere in a base64-encoded string the representation
might change depending on the position of the value in the overall string. There are three variants for shifts
by zero to two bytes and except the first and last byte the encoded values have a static part in
the middle that can be recognized.

* `base64` sub-modifiers:
* `utf16le`: Transforms value to UTF16-LE encoding, e.g. `cmd` > `63 00 6d 00 64 00`
* `utf16be`: Transforms value to UTF16-BE encoding, e.g. `cmd` > `00 63 00 6d 00 64`
* `utf16`: Prepends a [byte order mark](https://en.wikipedia.org/wiki/Byte_order_mark) and encodes UTF16, e.g. `cmd` > `FF FE 63 00 6d 00 64 00`

## Specific

* `expand`: Modifier for expansion of placeholders in values. The final behavior of the replacement is determined by processing pipeline transformations. Current possibilities in pySigma are:
* Expand to value list (`ValueListPlaceholderTransformation`/`value_placeholders`)
* Replace with query expression in target query language (`QueryExpressionPlaceholderTransformation`/`query_expression_placeholders`)
* Replace placeholder with wildcard `*`, which should only be used as last resort. (`WildcardPlaceholderTransformation`/`wildcard_placeholders`)

* `fieldref`: Modifies a plain string into a field reference. A field reference can be used to compare fields of matched
events directly at query/matching time.

## History

* 2024-08-12 Modifiers Appendix v2.0.0
* 2023-05-27 Modifiers Appendix v1.0.4
* Update from PySigma 0.7.6
* Add `fieldref`
* 2023-05-21 Modifiers Appendix v1.0.3
* Creation of the file
* 2017 Sigma creation
Loading