sysflow icon indicating copy to clipboard operation
sysflow copied to clipboard
verified publisher icon sysflow-telemetry

Add Sigma rules support

Open araujof opened this issue 2 years ago • 1 comments

Indicate project Processor

Overview We want to enable Sigma rules evaluation in the SysFlow Processor, using our policy engine architecture as the base framework.

Tasks

  • [x] Refactoring to enable multi-language support
    • [x] Upgrade to Go 1.19
    • [x] Separation between policy front and backend compilation
    • [x] Generics (parametric record, to enable different backends for different input sources)
  • [x] Sigma frontend
    • [x] Condition expression language (1|all of selection, logical operators, wildcards)
    • [x] Search evaluation (event matching)
      • [x] Field modifiers
      • [ ] Field transformers
        • [x] WinDash
        • [x] Base64
        • [ ] Base64Offset
        • [x] UTF16 (BE, LE, BOM)
        • [x] Wide (UTF16)
        • [ ] CIDR
    • [x] Keywords
    • [x] Field mapping support
  • [x] Sigma backend support
    • [x] Operations and operators abstraction
    • [x] Refactored operations to support multi-language operations
    • [x] Added RegExp operation
  • [x] Field mapping for SysFlow
  • [ ] Unit tests
  • [ ] Sigma rule curation
  • [x] Performance tests
  • [ ] Documentation

Additional context Working branch: https://github.com/sysflow-telemetry/sf-processor/tree/go1.19-sigma

araujof avatar Feb 10 '23 14:02 araujof

Release experimentally in 0.6.0

araujof avatar Jan 11 '24 17:01 araujof