Sigma rules edition, bulk actions and rule severity implementation

Author: codeyourweb

sentinel-kit_server_backend/src/Command/SigmaRulesLoadCommand.php

@@ -13,6 +13,7 @@
 use Symfony\Component\Yaml\Exception\ParseException;
 use App\Entity\SigmaRule;
 use App\Entity\SigmaRuleVersion;
+use App\Service\SigmaRuleValidator;
 
 #[AsCommand(
     name: 'app:sigma:load-rules',
@@ -21,11 +22,13 @@
 class SigmaRulesLoadCommand extends Command
 {
     private $entityManager;
+    private $validator;
 
-    public function __construct(EntityManagerInterface $entityManager)
+    public function __construct(EntityManagerInterface $entityManager, SigmaRuleValidator $validator)
     {
         parent::__construct();
         $this->entityManager = $entityManager;
+        $this->validator = $validator;
     }
 
     protected function configure(): void
@@ -60,14 +63,52 @@ protected function execute(InputInterface $input, OutputInterface $output): int
                     continue;
                 }
 
-                $yamlData = Yaml::parse($content);
+                $slugger = new AsciiSlugger();
+                $filename = $slugger->slug(pathinfo($relativePath, PATHINFO_FILENAME));
+                $titleFromFilename = pathinfo($relativePath, PATHINFO_FILENAME);
+
+                try {
+                    $yamlData = Yaml::parse($content);
+                } catch (ParseException $e) {
+                    $io->error("YAML parse error in file " . $relativePath . ": " . $e->getMessage());
+                    $errorCount++;
+                    continue;
+                }
+
+                if (!$yamlData) {
+                    $io->error("Empty or invalid YAML content in file: " . $relativePath);
+                    $errorCount++;
+                    continue;
+                }
+
+                if (empty($yamlData['title'])) {
+                    $yamlData['title'] = $titleFromFilename;
+                }
+
+                if (empty($yamlData['description'])) {
+                    $yamlData['description'] = '';
+                }
+
+                $completedContent = Yaml::dump($yamlData);
+
+                $validationResult = $this->validator->validateSigmaRuleContent($completedContent);
 
-                if ($yamlData === null) {
-                    $io->warning("File contains no valid YAML data: $filePath");
+                if (isset($validationResult['error'])) {
+                    $io->error("Validation error in file " . $relativePath . ": " . $validationResult['error']);
+                    $errorCount++;
+                    continue;
+                }
+
+                if (!empty($validationResult['missingFields'])) {
+                    $missingFieldsString = implode(", ", $validationResult['missingFields']);
+                    $io->warning("File " . $relativePath . " is missing required fields: " . $missingFieldsString . " - Skipping");
+                    $errorCount++;
                     continue;
                 }
 
-                $this->storeSigmaRule($content, $yamlData, $relativePath, $io);
+                $finalYamlData = $validationResult['yamlData'];
+                
+                $this->storeSigmaRule($completedContent, $finalYamlData, $filename, $relativePath, $io);
                 $processedCount++;
             } catch (ParseException $e) {
                 $io->error("YAML parse error in file " . $relativePath . ": " . $e->getMessage());
@@ -120,44 +161,33 @@ private function findYamlFiles(string $directory): array
     /**
      * Store Sigma Rule and its version into the database
      */
-    private function storeSigmaRule(string $content, array $yamlData, string $filePath,SymfonyStyle $io): void
+    private function storeSigmaRule(string $content, array $yamlData, string $filename, string $filePath, SymfonyStyle $io): void
     {
-        $slugger = new AsciiSlugger();
-        $title = '';
-        $description = null;
-        $filename = $slugger->slug(pathinfo($filePath, PATHINFO_FILENAME));
+
+        $rule = new SigmaRule();
+        $rule->setTitle($yamlData['title']);
+        $rule->setDescription($yamlData['description']);
+        $rule->setFilename($filename);
+        $rule->setActive(false);
 
-        if (!empty($yamlData['title'])) {
-            $title = $yamlData['title'];
-        }else{
-            $title = substr($filename, 0, strlen($filename) - 4);
-        }
+        $ruleVersion = new SigmaRuleVersion();
+        $ruleVersion->setContent($content);
+        $ruleVersion->setLevel($yamlData['level']);
+        $rule->addVersion($ruleVersion);
 
-        if (!empty($yamlData['description'])) {
-            $description = $yamlData['description'];
-        }
 
-        $r = $this->entityManager->GetRepository(SigmaRule::class)->findOneBy(['title' => $title]);
+        $r = $this->entityManager->GetRepository(SigmaRule::class)->findOneBy(['title' => $yamlData['title']]);
         if ($r) {
-            $io->warning(sprintf('Rule with title "%s" already exists already exists in database', $title));
+            $io->warning(sprintf('Rule with title "%s" already exists in database', $yamlData['title']));
             return;
         }
 
-        $rd = $this->entityManager->getRepository(SigmaRuleVersion::class)->findOneBy(['hash' => md5($content)]);
+        $rd = $this->entityManager->getRepository(SigmaRuleVersion::class)->findOneBy(['hash' => $ruleVersion->getHash()]);
         if ($rd) {
-            $io->warning(sprintf('Rule "%s" ignored - content already exists in %s', $filePath, $title, $description));
+            $io->warning(sprintf('Rule "%s" ignored - content already exists', $filePath));
             return;
         }
 
-        $rule = new SigmaRule();
-        $rule->setFilename($filename);
-        $rule->setTitle($title);
-        $rule->setDescription($description);
-        $rule->setActive(false);
-        
-        $ruleVersion = new SigmaRuleVersion();
-        $ruleVersion->setContent($content);
-        $rule->addVersion($ruleVersion);
 
         try{
             $this->entityManager->persist($rule);

sentinel-kit_server_backend/src/Controller/SigmaController.php

@@ -7,17 +7,75 @@
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Serializer\SerializerInterface;
+use Symfony\Component\Yaml\Yaml;
+use Symfony\Component\Yaml\Exception\ParseException;
 use Doctrine\ORM\EntityManagerInterface;
 use App\Entity\SigmaRule;
+use App\Entity\SigmaRuleVersion;
+use App\Service\SigmaRuleValidator;
 
 class SigmaController extends AbstractController{
 
     private $entityManger;
     private $serializer;
+    private $validator;
 
-    public function __construct(EntityManagerInterface $em, SerializerInterface $serializer){
+    public function __construct(EntityManagerInterface $em, SerializerInterface $serializer, SigmaRuleValidator $validator){
         $this->entityManger = $em;
         $this->serializer = $serializer;
+        $this->validator = $validator;
+    }
+
+
+
+    #[Route('/api/rules/sigma/add_rule', name: 'app_sigma_add_rule', methods: ['POST'])]
+    public function SaveNewSigmaRule(Request $request): JsonResponse {
+        $data = json_decode($request->getContent(), true);
+        if (!isset($data['rule_content'])) {
+            return new JsonResponse(['error' => 'Missing rule content'], Response::HTTP_BAD_REQUEST);
+        }
+
+        $ruleContent = $data['rule_content'];
+        $validationResult = $this->validator->validateSigmaRuleContent($ruleContent);
+
+        if (isset($validationResult['error'])) {
+            return new JsonResponse(['error' => $validationResult['error']], Response::HTTP_BAD_REQUEST);
+        }
+
+        if (!empty($validationResult['missingFields'])) {
+            $missingFieldsString = implode(", ", $validationResult['missingFields']);
+            return new JsonResponse(['error' => "Missing required fields: " . $missingFieldsString], Response::HTTP_BAD_REQUEST);
+        }
+
+        $yamlData = $validationResult['yamlData'];
+        
+        $existingRule = $this->entityManger->getRepository(SigmaRule::class)->findOneBy(['title' => $yamlData['title']]);
+        if ($existingRule) {
+            return new JsonResponse(['error' => 'A rule with this title already exists'], Response::HTTP_BAD_REQUEST);
+        }
+
+        $newRule = new SigmaRule();
+        $newRuleVersion = new SigmaRuleVersion();
+        $newRule->setTitle($yamlData['title']);
+        $newRule->setDescription($yamlData['description']);
+        $newRule->setActive(false);
+        $newRuleVersion->setContent(Yaml::dump($yamlData, 4));
+        $newRuleVersion->setLevel($yamlData['level']);
+        $newRule->addVersion($newRuleVersion);
+
+        $existingVersion = $this->entityManger->getRepository(SigmaRuleVersion::class)->findOneBy(['hash' => $newRuleVersion->getHash()]);
+        if ($existingVersion) {
+            return new JsonResponse(['error' => 'A rule with the exact same content already exists'], Response::HTTP_BAD_REQUEST);
+        }
+
+        try{
+            $this->entityManger->persist($newRule);
+            $this->entityManger->flush();
+        } catch (\Exception $e) {
+            return  new JsonResponse(['error' => 'Failed to save the rule: ' . $e->getMessage()], Response::HTTP_INTERNAL_SERVER_ERROR);
+        }
+
+        return new JsonResponse(['error' => '', 'rule_id' => $newRule->getId()], Response::HTTP_OK);
     }
 
 
@@ -29,7 +87,7 @@ public function listRulesSummary(Request $request): Response
     }
 
     #[Route('/api/rules/sigma/{ruleId}/status', name:'app_sigma_change_rule_status', methods: ['PUT'])]
-    public function editRuleStatus(Request $request, int $ruleId): Response{
+    public function editRuleStatus(Request $request, int $ruleId): JsonResponse{
         $rule = $this->entityManger->getRepository(SigmaRule::class)->find($ruleId);
         if(!$rule){
             return new JsonResponse(['error' => 'Rule not found'], Response::HTTP_NOT_FOUND);
@@ -44,7 +102,7 @@ public function editRuleStatus(Request $request, int $ruleId): Response{
     }
 
     #[Route('api/rules/sigma/{ruleId}/details', name:'app_sigma_get_rule', methods: ['GET'])]
-    public function getRule(Request $request, int $ruleId): Response {
+    public function getRule(Request $request, int $ruleId): JsonResponse {
         $rule = $this->entityManger->getRepository(SigmaRule::class)->find($ruleId);
         if (!$rule) {
             return new JsonResponse(['error' => 'Rule not found'], Response::HTTP_NOT_FOUND);
@@ -54,8 +112,77 @@ public function getRule(Request $request, int $ruleId): Response {
         return new JsonResponse($serializedRule, Response::HTTP_OK, [], true);
     }
 
+    #[Route('/api/rules/sigma/{ruleId}/add_version', name: 'app_sigma_add_version', methods: ['POST'])]
+    public function addRuleVersion(Request $request, int $ruleId): JsonResponse {
+        $rule = $this->entityManger->getRepository(SigmaRule::class)->find($ruleId);
+        if (!$rule) {
+            return new JsonResponse(['error' => 'Rule not found'], Response::HTTP_NOT_FOUND);
+        }
+
+        $data = json_decode($request->getContent(), true);
+        if (!isset($data['rule_content'])) {
+            return new JsonResponse(['error' => 'Missing rule content'], Response::HTTP_BAD_REQUEST);
+        }
+
+        $ruleContent = $data['rule_content'];
+        $validationResult = $this->validator->validateSigmaRuleContent($ruleContent);
+
+        if (isset($validationResult['error'])) {
+            return new JsonResponse(['error' => $validationResult['error']], Response::HTTP_BAD_REQUEST);
+        }
+
+        if (!empty($validationResult['missingFields'])) {
+            $missingFieldsString = implode(", ", $validationResult['missingFields']);
+            return new JsonResponse(['error' => "Missing required fields: " . $missingFieldsString], Response::HTTP_BAD_REQUEST);
+        }
+
+        $yamlData = $validationResult['yamlData'];
+
+        $newRuleVersion = new SigmaRuleVersion();
+        $newRuleVersion->setContent($ruleContent);
+        $newRuleVersion->setLevel($yamlData['level']);
+        $newRuleVersion->setRule($rule);
+
+        $existingVersion = $this->entityManger->getRepository(SigmaRuleVersion::class)->findOneBy(['hash' => $newRuleVersion->getHash()]);
+        if ($existingVersion) {
+            return new JsonResponse(['error' => 'A version with the exact same content already exists'], Response::HTTP_BAD_REQUEST);
+        }
+
+        if ($rule->getTitle() !== $yamlData['title']) {
+            $rule->setTitle($yamlData['title']);
+        }
+        if ($rule->getDescription() !== $yamlData['description']) {
+            $rule->setDescription($yamlData['description']);
+        }
+
+        $existingRulesWithTitle = $this->entityManger->getRepository(SigmaRule::class)->findBy(['title' => $yamlData['title']]);
+        foreach ($existingRulesWithTitle as $existingRule) {
+            if ($existingRule->getId() !== $rule->getId()) {
+                return new JsonResponse(['error' => 'Another rule with this title already exists'], Response::HTTP_BAD_REQUEST);
+            }
+        }
+
+        $latestVersion = $this->entityManger->getRepository(SigmaRuleVersion::class)->findOneBy(
+            ['rule' => $rule],
+            ['id' => 'DESC']
+        );
+        if ($latestVersion && $latestVersion->getHash() === $newRuleVersion->getHash()) {
+            return new JsonResponse(['error' => 'The new version content is identical to the latest version'], Response::HTTP_BAD_REQUEST);
+        }
+
+
+        try {
+            $this->entityManger->persist($newRuleVersion);
+            $this->entityManger->flush();
+        } catch (\Exception $e) {
+            return new JsonResponse(['error' => 'Failed to save the new version: ' . $e->getMessage()], Response::HTTP_INTERNAL_SERVER_ERROR);
+        }
+
+        return new JsonResponse(['error' => '', 'version_id' => $newRuleVersion->getId()], Response::HTTP_OK);
+    }
+
     #[Route('api/rules/sigma/{ruleId}', name:'app_sigma_delete_rule', methods: ['DELETE'])]
-    public function deleteRule(Request $request, int $ruleId): Response {
+    public function deleteRule(Request $request, int $ruleId): JsonResponse {
         $rule = $this->entityManger->getRepository(SigmaRule::class)->find($ruleId);
         if (!$rule) {
             return new JsonResponse(['error' => 'Rule not found'], Response::HTTP_NOT_FOUND);

sentinel-kit_server_backend/src/Entity/SigmaRule.php

@@ -8,6 +8,7 @@
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\String\Slugger\AsciiSlugger;
 
 #[ORM\Entity(repositoryClass: SigmaRuleRepository::class)]
 class SigmaRule
@@ -131,6 +132,8 @@ public function getTitle(): ?string
     public function setTitle(string $title): static
     {
         $this->title = trim($title);
+        $slugger = new AsciiSlugger();
+        $this->setFilename($slugger->slug($title)->lower());
 
         return $this;
     }

sentinel-kit_server_backend/src/Entity/SigmaRuleVersion.php

@@ -20,6 +20,10 @@ class SigmaRuleVersion
     #[Groups(['rule_details'])]
     private ?string $content = null;
 
+    #[ORM\Column(length: 20)]
+    #[Groups(['rule_details'])]
+    private ?string $level = 'informational';
+
     #[ORM\Column(length: 64, unique: true)]
     private ?string $hash = null;
 
@@ -54,6 +58,25 @@ public function setContent(string $content): static
         return $this;
     }
 
+    public function getLevel(): ?string
+    {
+        return $this->level;
+    }
+
+    public function setLevel(string $level): static
+    {
+        $allowedLevels = ['informational', 'low', 'medium', 'high', 'critical'];
+        if (!in_array($level, $allowedLevels)) {
+            throw new \InvalidArgumentException(
+                sprintf('Invalid level "%s". Allowed values are: %s', $level, implode(', ', $allowedLevels))
+            );
+        }
+        
+        $this->level = $level;
+
+        return $this;
+    }
+
     public function getHash(): ?string
     {
         return $this->hash;

sentinel-kit_server_backend/src/Repository/SigmaRuleRepository.php

@@ -22,7 +22,23 @@ public function __construct(ManagerRegistry $registry)
      * @return array
      */
     public function summaryFindAll() : array{
-        $qb = $this->createQueryBuilder("r")->orderBy("r.title","ASC")->select("r.id","r.title","r.description","r.active","r.createdOn","r.createdOn");
+        $qb = $this->createQueryBuilder("r");
+
+        $subQuery = $this->createQueryBuilder('r2')
+            ->select('MAX(v2.createdOn)')
+            ->innerJoin('r2.versions', 'v2')
+            ->where('r2.id = r.id') 
+            ->getDQL();
+
+        $qb->leftJoin(
+                'r.versions',
+                'v', 
+                Join::WITH, 
+                $qb->expr()->eq('v.createdOn', '(' . $subQuery . ')')
+            )
+            ->select("r.id","r.title","r.description","r.active","r.createdOn","v.level")
+            ->orderBy("r.title","ASC");
+            
         return $qb->getQuery()->getResult();
     }