Eric Partington

Sigma for your SIEM

Blog Post created by Eric Partington Employee on Apr 8, 2019

Over the last year a few trends have emerged in detection ruleset sharing circles.  Standards or common formats of sharing detective rulesets have emerged as the defacto way teams are communicating rulesets to then convert into local technologies.

 

  • Yara for file based detections
  • Snort/Bro/Zeek rules for network based detections
  • Sigma for SIEM based detections

 

Along with MITRE ATT&CK these appear to be a consistent common foundation for sharing methodologies.

 

Given that, taking a shot at using Sigma to create RSA NetWitness rules based on the rulesets in the github repo was the next logical step.  The hard work of creating the backed and the initial mappings for fields was done by @tuckner and my work was just adding on a few additional fieldmappings and creating a wrapper script to help make the process of running the rules easier.

 

There are still some issues in the conversion script that I have noticed and not all capabilities in Sigma have been ported over (or can be ported over programatically) but this is enough of a start to get you on your way to developing additional rulesets with this capabilities.

 

*** <disclaimer>

Please note this is not an official RSA product, this is an attempt to start the conversion process of these rules to something NetWitness can begin to understand. There will be mistakes and errors in this community developed tool, feel free to contribute fixes and enhancements to the Sigma project to make it better and more accurate

</disclaimer> ***

 

You will need to install python3 to make the Sigmac tool run, NetWitness appliances don't have the right version of python so you will need somewhere to install it, these are my instructions that i fumbled through to make it work...

 

https://github.com/epartington/rsa_nw_sigma_wrapper/blob/master/install%20python3.txt

 

Once you have the tool running you should take a look at the rules that exist in the Sigma repo to see which ones you want to take a crack at converting.

 

Those rules exist here:

https://github.com/Neo23x0/sigma/tree/master/rules

 

The tool you will use to convert the rules is sigmac and lives under tools/sigmac

The backend you will refer to is netwitness and lives under tools/sigma/backends

The last item you need to know about is the template that will be used to convert the rule using the backend which is located here tools/config/netwitness.yml

 

running the command on a single file looks something like this:

python36 sigmac -t netwitness ../rules/network/net_mal_dns_cobaltstrike.yml
(query contains 'aaa\.stage\.', 'post\.1')

 

You can use this to run individual conversions but what if you want to bulk convert all the rules in a folder?

This wrapper script will help you do that, place it in the root folder and adjust the directory paths as needed, this will output the name of the file as well as the conversion so that you know what file you are converting

 

https://github.com/epartington/rsa_nw_sigma_wrapper/blob/master/sigma-wrapper.sh

 

Which gets you something like this:

 

/root/sigma/sigma-master/rules/windows/builtin/win_susp_sdelete.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '4656', '4663', '4658') && (obj.name contains '.AAA', '.ZZZ'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_sdelete.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '4656', '4663', '4658') && (obj.name contains '.AAA', '.ZZZ'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_svchost.yml

 

Some items to be aware of:

  • IP addresses appear to be quoted which should not occur for our latest requirements
  • Keep an eye on regex usage
  • Haven't checked to far into the escaping of slashes for importing via the UI vs. the .nwr method.  Be careful which method you use that the right number of slashes are respected.

 

So far this looks like a useful method to add a bunch of current SIEM detections to the RSA NetWitness Platform, feel free to test and contribute to the converter, fieldmappings or other functions if you find this useful.

Outcomes