Skip to content

Commit

Permalink
doc: update supported-modifier.py
Browse files Browse the repository at this point in the history
  • Loading branch information
@fukusuket
fukusuket committed Nov 25, 2024
1 parent dbd0dfb commit b504bf5
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 28 deletions.
54 changes: 27 additions & 27 deletions doc/SupportedSigmaFieldModifiers.md
View file
Original file line number Diff line number Diff line change
@@ -1,41 +1,41 @@
# Hayabusa supported field modifiers
| Field Modifier | Sigma Count | Hayabusa Count |
|:----------------------|--------------:|-----------------:|
| all | 13 | 0 |
| base64offsetǀcontains | 7 | 0 |
| cased | 0 | 0 |
| cidr | 34 | 0 |
| contains | 2763 | 21 |
| containsǀall | 977 | 0 |
| containsǀallǀwindash | 4 | 0 |
| containsǀwindash | 78 | 0 |
| endswith | 2915 | 271 |
| endswithfield | 0 | 2 |
| endswithǀwindash | 2 | 0 |
| equalsfield | 0 | 1 |
| exists | 0 | 0 |
| fieldref | 1 | 0 |
| fieldrefǀendswith | 0 | 0 |
| re | 167 | 11 |
| reǀi | 0 | 0 |
| reǀm | 0 | 0 |
| reǀs | 0 | 0 |
| startswith | 443 | 6 |

# Hayabusa unsupported field modifiers
| Field Modifier | Sigma Count | Hayabusa Count |
|:------------------------------|--------------:|-----------------:|
| containsǀexpand | 1 | 0 |
| expand | 9 | 0 |
| all | 13 | 0 |
| base64offsetǀcontains | 7 | 0 |
| cased | 0 | 0 |
| cidr | 34 | 0 |
| contains | 2761 | 21 |
| containsǀall | 977 | 0 |
| containsǀallǀwindash | 4 | 0 |
| containsǀwindash | 78 | 0 |
| endswith | 2915 | 271 |
| endswithfield | 0 | 0 |
| endswithǀwindash | 2 | 0 |
| equalsfield | 0 | 0 |
| exists | 0 | 0 |
| fieldref | 1 | 1 |
| fieldrefǀendswith | 0 | 2 |
| gt | 0 | 0 |
| gte | 0 | 0 |
| lt | 0 | 0 |
| lte | 0 | 0 |
| re | 167 | 11 |
| reǀi | 0 | 0 |
| reǀm | 0 | 0 |
| reǀs | 0 | 0 |
| startswith | 443 | 6 |
| utf16beǀbase64offsetǀcontains | 0 | 0 |
| utf16leǀbase64offsetǀcontains | 0 | 0 |
| utf16ǀbase64offsetǀcontains | 0 | 0 |
| wideǀbase64offsetǀcontains | 0 | 0 |

# Hayabusa unsupported field modifiers
| Field Modifier | Sigma Count | Hayabusa Count |
|:-----------------|--------------:|-----------------:|
| containsǀexpand | 1 | 0 |
| expand | 9 | 0 |

# Hayabusa supported correlation rules
| Correlation Rule | Sigma Count | Hayabusa Count |
|:----------------------------|--------------:|-----------------:|
Expand All @@ -51,5 +51,5 @@
| temporal_count (with group-by) | 0 | 0 |

This document is being dynamically updated based on the latest rules.
Last Update: 2024/11/19
Last Update: 2024/11/25
Author: Fukusuke Takahashi
2 changes: 1 addition & 1 deletion scripts/supported_modifiers_check/supported-modifier.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ def categorize_modifiers(sigma_key_counter, hayabusa_key_counter, hayabusa_suppo
sigma_mod_counter, sigma_col_counter = get_yml_detection_counts(args.sigma_path)
hayabusa_mod_counter, hayabusa_col_counter = get_yml_detection_counts(args.hayabusa_path)

hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref'}
hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref', 'gt', 'gte', 'lt', 'lte', 'utf16', 'utf16be', 'utf16le', 'wide'}
mod_supported, mod_unsupported = categorize_modifiers(sigma_mod_counter, hayabusa_mod_counter, hayabusa_supported_modifiers)

hayabusa_supported_modifiers = {"event_count", "event_count (with group-by)", "value_count", "value_count (with group-by)"}
Expand Down

0 comments on commit b504bf5

Please sign in to comment.