sigma rules import and export

Author: codeyourweb

config/docker-config/backend-entrypoint.sh

@@ -1,5 +1,8 @@
 #!/bin/sh
 MARKER_FILE="/usr/local/bin/.initial_setup_done"
+rm -rf /var/www/html/var/cache
+rm -rf /var/www/html/public/bundles
+composer install
 if [ ! -f "$MARKER_FILE" ]; then
 sleep 10
 rm -rf /var/www/html/migrations/*.php
@@ -8,4 +11,4 @@ php /var/www/html/bin/console make:migration -n
 php /var/www/html/bin/console doctrine:migrations:migrate -n
 touch "$MARKER_FILE"
 fi
-exec "$@"
+symfony server:start --allow-http --port=8000 --listen-ip='0.0.0.0'

docker-compose.yml

@@ -36,17 +36,14 @@ services:
       - ./config/docker-config/backend-entrypoint.sh:/usr/local/bin/backend-entrypoint.sh:ro
       - ./sentinel-kit_server_backend:/var/www/html:delegated
       - ./sentinel-kit_server_backend/public:/var/www/html/public:delegated
+      - ./config/sigma_ruleset:/detection-rules/sigma
       - sentinel-kit_certificates_jwt:/var/www/html/config/jwt
       - sentinel-kit_server_backend_vendor_cache:/var/www/html/vendor
       - sentinel-kit_server_backend_var_cache:/var/www/html/var
     stdin_open: true
     tty: true
     command: >
-      sh -c "symfony server:ca:install &&
-             rm -rf /var/www/html/var/cache &&
-             rm -rf /var/www/html/public/bundles &&
-             composer install && 
-             symfony server:start --allow-http --port=8000 --listen-ip='0.0.0.0'"
+      sh -c "/usr/local/bin/backend-entrypoint.sh"
     networks:
       - sentinel-kit-network
     depends_on:

sentinel-kit_server_backend/.env

@@ -31,7 +31,7 @@ DEFAULT_URI=https://localhost
 #
 # DATABASE_URL="sqlite:///%kernel.project_dir%/var/data_%kernel.environment%.db"
 # DATABASE_URL="mysql://app:[email protected]:3306/app?serverVersion=8.0.32&charset=utf8mb4"
-DATABASE_URL="mysql://sentinel-kit_user:sentinel-kit_passwd@sentinel-kit-db-mysql:3306/sentinel-kit_db?serverVersion=9.4.0&charset=utf8"
+DATABASE_URL="mysql://sentinel-kit_user:sentinel-kit_passwd@sentinel-kit-db-mysql:3306/sentinel-kit_db?serverVersion=9.4.0&charset=utf8mb4"
 # DATABASE_URL="postgresql://app:[email protected]:5432/app?serverVersion=16&charset=utf8"
 ###< doctrine/doctrine-bundle ###
 

sentinel-kit_server_backend/composer.json

@@ -31,6 +31,7 @@
         "symfony/runtime": "7.3.*",
         "symfony/security-bundle": "7.3.*",
         "symfony/serializer": "7.3.*",
+        "symfony/string": "7.3.*",
         "symfony/twig-bundle": "7.3.*",
         "symfony/validator": "7.3.*",
         "symfony/yaml": "7.3.*"

sentinel-kit_server_backend/config/packages/doctrine.yaml

@@ -1,13 +1,16 @@
 doctrine:
     dbal:
         url: '%env(resolve:DATABASE_URL)%'
-
-        # IMPORTANT: You MUST configure your server version,
-        # either here or in the DATABASE_URL env var (see .env file)
-        #server_version: '16'
-
         profiling_collect_backtrace: '%kernel.debug%'
         use_savepoints: true
+        charset: utf8mb4
+        default_table_options:
+            charset: utf8mb4
+            collate: utf8mb4_unicode_ci
+        options:
+            1002: "SET NAMES utf8mb4"
+        mapping_types:
+            enum: string
     orm:
         auto_generate_proxy_classes: true
         enable_lazy_ghost_objects: true

sentinel-kit_server_backend/src/Command/SigmaRulesExportCommand.php

@@ -0,0 +1,73 @@
+<?php
+
+namespace App\Command;
+
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\String\Slugger\SluggerInterface;
+use Symfony\Component\Yaml\Yaml;
+use Symfony\Component\Yaml\Exception\ParseException;
+use App\Entity\SigmaRule;
+use App\Entity\SigmaRuleVersion;
+
+#[AsCommand(
+    name: 'app:sigma:export-rules',
+    description: 'Exports Sigma rules from Sentinel-Kit database in the backend application to *.yml files',
+)]
+class SigmaRulesExportCommand extends Command
+{
+    private $entityManager;
+
+    public function __construct(EntityManagerInterface $entityManager)
+    {
+        parent::__construct();
+        $this->entityManager = $entityManager;
+    }
+
+    protected function configure(): void
+    {
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+       
+        $directory = '/detection-rules/sigma';
+
+        if (!is_dir($directory)) {
+            $io->error("Directory does not exist: $directory");
+            return Command::FAILURE;
+        }
+
+        if(count(scandir($directory)) > 2) {
+            $io->error("Sigma rules directory is not empty. Clear it before exporting rules.");
+            return Command::FAILURE;
+        }
+
+        $rules = $this->entityManager->getRepository(SigmaRule::class)->findAllWithLatestRuleVersion();
+          foreach($rules as $rule) {
+            $io->writeln("Exporting rule: " . $rule->getTitle());
+            $latestVersion = $rule->getVersions()->first();
+
+            if (!$latestVersion) {
+                $io->warning("Skipping rule '{$rule->getTitle()}' because it has no versions.");
+                continue;
+            }
+            
+            try {
+                file_put_contents($directory . '/' . $rule->getFilename() . '.yml', $latestVersion->getContent());
+            }
+            catch(\Exception $e) {
+                $io->error("Error exporting rule '{$rule->getTitle()}': " . $e->getMessage()); 
+            }
+        }
+        
+        $io->success("Successfully exported " . count($rules) . " Sigma rules.");
+        
+        return Command::SUCCESS;
+    }
+}

sentinel-kit_server_backend/src/Command/SigmaRulesLoadCommand.php

@@ -0,0 +1,171 @@
+<?php
+
+namespace App\Command;
+
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\String\Slugger\AsciiSlugger;
+use Symfony\Component\Yaml\Yaml;
+use Symfony\Component\Yaml\Exception\ParseException;
+use App\Entity\SigmaRule;
+use App\Entity\SigmaRuleVersion;
+
+#[AsCommand(
+    name: 'app:sigma:load-rules',
+    description: 'Loads *.yml rules files into Sentinel-Kit database in the backend application',
+)]
+class SigmaRulesLoadCommand extends Command
+{
+    private $entityManager;
+
+    public function __construct(EntityManagerInterface $entityManager)
+    {
+        parent::__construct();
+        $this->entityManager = $entityManager;
+    }
+
+    protected function configure(): void
+    {
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+       
+        $directory = '/detection-rules/sigma';
+
+        if (!is_dir($directory)) {
+            $io->error("Directory does not exist: $directory");
+            return Command::FAILURE;
+        }
+
+        $yamlFiles = $this->findYamlFiles($directory);
+
+        $processedCount = 0;
+        $errorCount = 0;
+
+        foreach ($yamlFiles as $filePath) {
+            $relativePath = str_replace($directory . DIRECTORY_SEPARATOR, '', $filePath);
+            $io->text("Processing: " . $relativePath);
+            
+            try {
+                $content = file_get_contents($filePath);
+                if ($content === false) {
+                    $io->error("Could not read file: $filePath");
+                    $errorCount++;
+                    continue;
+                }
+
+                $yamlData = Yaml::parse($content);
+                
+                if ($yamlData === null) {
+                    $io->warning("File contains no valid YAML data: $filePath");
+                    continue;
+                }
+
+                $this->storeSigmaRule($content, $yamlData, $relativePath, $io);
+                $processedCount++;
+            } catch (ParseException $e) {
+                $io->error("YAML parse error in file " . $relativePath . ": " . $e->getMessage());
+                $errorCount++;
+            } catch (\Exception $e) {
+                $io->error("Error processing file " . $relativePath . ": " . $e->getMessage());
+                $errorCount++;
+            }
+        }
+
+        try{
+            $this->entityManager->flush();
+        } catch (\Exception $e) {
+            $io->error("Error flushing to database: " . $e->getMessage());
+            return Command::FAILURE;
+        }
+
+        $io->section("Summary");
+        $io->text("Total files processed: $processedCount");
+        if ($errorCount > 0) {
+            $io->text("Files with errors: $errorCount");
+            return Command::FAILURE;
+        } else {
+            $io->success("Sigma rules loaded successfully.");
+        }
+
+
+        return Command::SUCCESS;
+    }
+
+    /**
+     * Recursively find all YAML files in a directory
+     */
+    private function findYamlFiles(string $directory): array
+    {
+        $yamlFiles = [];
+        $iterator = new \RecursiveIteratorIterator(
+            new \RecursiveDirectoryIterator($directory, \RecursiveDirectoryIterator::SKIP_DOTS)
+        );
+
+        foreach ($iterator as $file) {
+            if ($file->isFile() && in_array($file->getExtension(), ['yml', 'yaml'])) {
+                $yamlFiles[] = $file->getRealPath();
+            }
+        }
+
+        return $yamlFiles;
+    }
+
+    /**
+     * Store Sigma Rule and its version into the database
+     */
+    private function storeSigmaRule(string $content, array $yamlData, string $filePath,SymfonyStyle $io): void
+    {
+        $slugger = new AsciiSlugger();
+        $title = '';
+        $description = null;
+        $filename = $slugger->slug(pathinfo($filePath, PATHINFO_FILENAME));
+        
+        if (!empty($yamlData['title'])) {
+            $title = $yamlData['title'];
+        }else{
+            $title = substr($filename, 0, strlen($filename) - 4);
+        }
+
+        if (!empty($yamlData['description'])) {
+            $description = $yamlData['description'];
+        }
+
+        $r = $this->entityManager->GetRepository(SigmaRule::class)->findOneBy(['title' => $title]);
+        if ($r) {
+            $io->warning(sprintf('Rule with title "%s" already exists already exists in database', $title));
+            return;
+        }
+
+        $rd = $this->entityManager->getRepository(SigmaRuleVersion::class)->findOneBy(['hash' => md5($content)]);
+        if ($rd) {
+            $io->warning(sprintf('Rule "%s" ignored - content already exists in %s', $filePath, $title, $description));
+            return;
+        }
+
+        $rule = new SigmaRule();
+        $rule->setFilename($filename);
+        $rule->setTitle($title);
+        $rule->setDescription($description);
+        $rule->setActive(false);
+        
+        $ruleVersion = new SigmaRuleVersion();
+        $ruleVersion->setContent($content);
+        $rule->addVersion($ruleVersion);
+        
+        try{
+            $this->entityManager->persist($rule);
+        }catch(\Exception $e){
+            $io->error(sprintf("Error storing rule: %s - %s", $filePath, $e->getMessage()));
+            return;
+        }
+
+        return;
+    }
+}