Skip to content

Commit 33aed24

Browse files
root-Brainoverflowroot-Brainoverflow
committed
Add Level Validation Logic
1 parent ecc2832 commit 33aed24

File tree

2 files changed

+21
-6
lines changed

2 files changed

+21
-6
lines changed

Sigma_rule_validation_program

976 Bytes
Binary file not shown.

Sigma_rule_validation_program.c

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,7 @@ void parse_yaml(const char *filename, Rule *rule) {
185185
}
186186

187187
void print_yaml(const Rule *rule) {
188+
printf("----------- PARSED SIGMA RULE -----------\n");
188189
printf("title: %s\n", rule->title);
189190
printf("id: %s\n", rule->id);
190191
printf("status: %s\n", rule->status);
@@ -209,7 +210,7 @@ void print_yaml(const Rule *rule) {
209210
printf("tags: \n");
210211
for (int i = 0; rule->tags[i].tags[0] != '\0';i++)
211212
printf(" - %s\n", rule->tags[i].tags);
212-
printf("\n");
213+
printf("-----------------------------------------\n\n\n");
213214
}
214215

215216
void validate_yamllint(const char *filename){
@@ -226,6 +227,19 @@ void validate_yamllint(const char *filename){
226227

227228
}
228229

230+
void validate_level(const char *level){
231+
int is_valid = 0;
232+
const char *approved_level[] = {"informational", "low", "medium", "high", "critical"};
233+
for (int i = 0; level[i] != '\0';i++){
234+
if(strcmp(level, approved_level[i]) == 0){
235+
is_valid = 1;
236+
}
237+
}
238+
if (!is_valid) {
239+
printf("[ERROR] INVALID LEVEL -> The level is not valid\n");
240+
} else {printf("[PASS] VALID SIGMA LEVEL\n");}
241+
}
242+
229243
void validate_detection(const char *category, const Detection *detection){
230244
const char *selection[20] ={};
231245
const char *field[20] = {};
@@ -377,13 +391,10 @@ void validate_detection(const char *category, const Detection *detection){
377391
} else {printf("[PASS] VALID SIGMA DETECTION - VALID CONDITION\n");
378392
}
379393
}
380-
381-
382-
383394
}
384395

385396
void validate_logsource(const char *logsource){
386-
char *category[] = {"process_creation", "process_access", "network_connection", "driver_load",
397+
const char *category[] = {"process_creation", "process_access", "network_connection", "driver_load",
387398
"image_load", "file_event", "file_delete", "registry_event", "registry_add", "registry_delete",
388399
"registry_set", "create_stream_hash", "dns_query"};
389400
int count = sizeof(category) / sizeof(category[0]);
@@ -414,7 +425,7 @@ void validate_date(const char *date){
414425

415426
void validate_status(const char *status){
416427
int is_valid = 0;
417-
char *valid_status[] = {"stable", "test", "experimental", "deprecated", "unsupported"};
428+
const char *valid_status[] = {"stable", "test", "experimental", "deprecated", "unsupported"};
418429
size_t count = sizeof(valid_status) / sizeof(valid_status[0]);
419430
if (status == NULL) {
420431
printf("[ERROR] INVALID STATUS -> Status is NULL\n");
@@ -465,11 +476,14 @@ void validate_uuid(const char *id) {
465476
}
466477

467478
void validate_sigma(const Rule *rule){
479+
printf("----------- SIGMA RULE VALIDATION -----------\n");
468480
validate_uuid(rule->id);
469481
validate_status(rule->status);
470482
validate_date(rule->date);
471483
validate_logsource(rule->logsource->category);
472484
validate_detection(rule->logsource->category, rule->detection);
485+
validate_level(rule->level);
486+
printf("------------ VALIDATION COMPLETE ------------\n\n\n");
473487
}
474488

475489
int main() {
@@ -500,5 +514,6 @@ int main() {
500514
parse_yaml(fname, &rule);
501515
print_yaml(&rule);
502516
validate_sigma(&rule);
517+
503518
return 0;
504519
}

0 commit comments

Comments
 (0)