bpmcdevitt/auto_sigma_rule_generator
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

MAJOR: Transform web application to professional CLI-based SIGMA rule generator

Browse source 
🎉 **Architecture Transformation (v2.0)**
- Complete migration from web app to professional CLI tool
- File-based SIGMA rule management system
- Git-friendly directory structure organized by year/CVE-ID
- Multiple rule variants per CVE (template, LLM, hybrid)

 **New CLI System**
- Professional command-line interface with Click framework
- 8 command groups: process, generate, search, stats, export, migrate
- Modular command architecture for maintainability
- Comprehensive help system and configuration management

📁 **File-Based Storage Architecture**
- Individual CVE directories: cves/YEAR/CVE-ID/
- Multiple SIGMA rule variants per CVE
- JSON metadata with processing history and PoC data
- Native YAML files perfect for version control

🚀 **Core CLI Commands**
- process: CVE processing and bulk operations
- generate: SIGMA rule generation with multiple methods
- search: Advanced CVE and rule searching with filters
- stats: Comprehensive statistics and analytics
- export: Multiple output formats for different workflows
- migrate: Database-to-file migration tools

🔧 **Migration Support**
- Complete migration utilities from web database
- Data validation and integrity checking
- Backward compatibility with existing processors
- Legacy web interface maintained for transition

📊 **Enhanced Features**
- Advanced search with complex filtering (severity, PoC presence, etc.)
- Multi-format exports (YAML, JSON, CSV)
- Comprehensive statistics and coverage reports
- File-based rule versioning and management

🎯 **Production Benefits**
- No database dependency - runs anywhere
- Perfect for cybersecurity teams using git workflows
- Direct integration with SIGMA ecosystems
- Portable architecture for CI/CD pipelines
- Multiple rule variants for different detection scenarios

📝 **Documentation Updates**
- Complete README rewrite for CLI-first approach
- Updated CLAUDE.md with new architecture details
- Detailed CLI documentation with examples
- Migration guides and troubleshooting

**Perfect for security teams wanting production-ready SIGMA rules with version control\! 🛡️**

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Brendan McDevitt 2025-07-21 13:11:03 -05:00
parent d51f3ea402
commit e579c91b5e
13 changed files with 2994 additions and 279 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

224
CLAUDE.md
View file

@ -2,124 +2,120 @@
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Project Overview
## Project Overview - CLI-Based Architecture (v2.0)
This is an enhanced CVE-SIGMA Auto Generator that automatically processes comprehensive CVE data and generates SIGMA rules for threat detection. The application now supports:
This is an enhanced CVE-SIGMA Auto Generator that has been **transformed from a web application to a professional CLI tool** with file-based SIGMA rule management. The system now supports:
1. **Bulk NVD Data Processing**: Downloads and processes complete NVD JSON datasets (2002-2025)
2. **nomi-sec PoC Integration**: Uses curated PoC data from github.com/nomi-sec/PoC-in-GitHub
3. **Enhanced SIGMA Rule Generation**: Creates intelligent rules based on real exploit indicators
4. **Comprehensive Database Seeding**: Supports both bulk and incremental data updates
## Architecture
## Architecture - CLI-Based System
### **Current Primary Architecture (v2.0)**
- **CLI Interface**: Professional command-line tool (`cli/sigma_cli.py`) with modular commands
- **File-Based Storage**: Git-friendly YAML and JSON files organized by year/CVE-ID
- **Directory Structure**:
- `cves/YEAR/CVE-ID/`: Individual CVE directories with metadata and multiple rule variants
- `cli/commands/`: Modular command system (process, generate, search, stats, export, migrate)
- `reports/`: Generated statistics and export outputs
- **Data Processing**:
- Reuses existing backend processors for CVE fetching and analysis
- File-based rule generation with multiple variants per CVE
- CLI-driven bulk operations and incremental updates
- **Storage Format**:
- `metadata.json`: CVE information, PoC data, processing history
- `rule_*.sigma`: Multiple SIGMA rule variants (template, LLM, hybrid)
- `poc_analysis.json`: Extracted exploit indicators and analysis
### **Legacy Web Architecture (Optional, for Migration)**
- **Backend**: FastAPI with SQLAlchemy ORM (`backend/main.py`)
- **Frontend**: React with Tailwind CSS (`frontend/src/App.js`)
- **Database**: PostgreSQL with enhanced schema:
- `cves`: CVE information with PoC metadata and bulk processing fields
- `sigma_rules`: Enhanced SIGMA rules with quality scoring and nomi-sec data
- `rule_templates`: Template patterns for rule generation
- `bulk_processing_jobs`: Job tracking for bulk operations
- **Data Processing**:
- `nvd_bulk_processor.py`: NVD JSON dataset downloader and processor
- `nomi_sec_client.py`: nomi-sec PoC-in-GitHub API integration
- `enhanced_sigma_generator.py`: Advanced SIGMA rule generation
- `bulk_seeder.py`: Coordinated bulk seeding operations
- **Database**: PostgreSQL (used only for migration to file-based system)
- **Cache**: Redis (optional)
- **Deployment**: Docker Compose orchestration
- **Deployment**: Docker Compose (maintained for migration purposes)
## Common Development Commands
### Quick Start
### **CLI Quick Start (Recommended)**
```bash
# Recommended quick start
chmod +x start.sh
./start.sh
# Install CLI dependencies
pip install -r cli/requirements.txt
# Or using Make
make start
# Make CLI executable
chmod +x cli/sigma_cli.py
# Initialize configuration
./cli/sigma_cli.py config-init
# Test CLI installation
./cli/sigma_cli.py --help
```
### Build and Run
### **CLI Primary Operations**
```bash
# Build and start all services
docker-compose up -d --build
# Process CVEs and generate SIGMA rules
./cli/sigma_cli.py process year 2024 # Process specific year
./cli/sigma_cli.py process cve CVE-2024-0001 # Process specific CVE
./cli/sigma_cli.py process bulk --start-year 2020 # Bulk process years
./cli/sigma_cli.py process incremental --days 7 # Process recent changes
# Start individual services
docker-compose up -d db redis # Database and cache only
docker-compose up -d backend # Backend API
docker-compose up -d frontend # React frontend
# Generate rules for existing CVEs
./cli/sigma_cli.py generate cve CVE-2024-0001 --method all
./cli/sigma_cli.py generate regenerate --year 2024 --method llm
# Search and analyze
./cli/sigma_cli.py search cve "buffer overflow" --severity critical --has-poc
./cli/sigma_cli.py search rules "powershell" --method llm
# Statistics and reports
./cli/sigma_cli.py stats overview --year 2024
./cli/sigma_cli.py stats poc --year 2024
./cli/sigma_cli.py stats rules --method template
# Export data
./cli/sigma_cli.py export sigma ./output-rules --format yaml --year 2024
./cli/sigma_cli.py export metadata ./reports/cve-data.csv --format csv
```
### Development Mode
### **Migration from Web Application**
```bash
# Using Make
make dev
# Migrate existing database to file structure
./cli/sigma_cli.py migrate from-database --database-url "postgresql://user:pass@localhost:5432/db"
# Or manually
docker-compose up -d db redis
cd backend && pip install -r requirements.txt && uvicorn main:app --reload
cd frontend && npm install && npm start
# Validate migrated data
./cli/sigma_cli.py migrate validate --year 2024
# Check migration statistics
./cli/sigma_cli.py stats overview
```
### Bulk Processing Commands
### **Legacy Web Interface (Optional)**
```bash
# Run bulk seeding standalone
cd backend && python bulk_seeder.py
# Start legacy web interface (for migration only)
docker-compose up -d db redis backend frontend
# Bulk seed specific year range
cd backend && python -c "
import asyncio
from bulk_seeder import BulkSeeder
from main import SessionLocal
seeder = BulkSeeder(SessionLocal())
asyncio.run(seeder.full_bulk_seed(start_year=2020, end_year=2025))
"
# Incremental update only
cd backend && python -c "
import asyncio
from bulk_seeder import BulkSeeder
from main import SessionLocal
seeder = BulkSeeder(SessionLocal())
asyncio.run(seeder.incremental_update())
"
# Access points:
# - Frontend: http://localhost:3000
# - API: http://localhost:8000
# - API Docs: http://localhost:8000/docs
# - Flower (Celery): http://localhost:5555
```
### Frontend Commands
### **Development and Testing**
```bash
cd frontend
npm install # Install dependencies
npm start # Development server (port 3000)
npm run build # Production build
npm test # Run tests
```
# CLI with verbose logging
./cli/sigma_cli.py --verbose process year 2024
### Backend Commands
```bash
cd backend
pip install -r requirements.txt
uvicorn main:app --reload # Development server (port 8000)
uvicorn main:app --host 0.0.0.0 --port 8000 # Production server
```
# Test individual commands
./cli/sigma_cli.py version
./cli/sigma_cli.py config-init
./cli/sigma_cli.py stats overview
### Database Operations
```bash
# Connect to database
docker-compose exec db psql -U cve_user -d cve_sigma_db
# View logs
docker-compose logs -f backend
docker-compose logs -f frontend
```
### Other Make Commands
```bash
make stop # Stop all services
make restart # Restart all services
make logs # View application logs
make clean # Clean up containers and volumes
make setup # Initial setup (creates .env from .env.example)
# Check file structure
ls -la cves/2024/ # View processed CVEs
ls -la cves/2024/CVE-2024-0001/ # View individual CVE files
```
## Key Configuration
@ -135,7 +131,14 @@ make setup # Initial setup (creates .env from .env.example)
- `DATABASE_URL`: PostgreSQL connection string
- `REACT_APP_API_URL`: Backend API URL for frontend
### Service URLs
### CLI Configuration
- **Configuration File**: `~/.sigma-cli/config.yaml` (auto-created with `config-init`)
- **Directory Structure**:
- `cves/YEAR/CVE-ID/`: Individual CVE data and rules
- `reports/`: Generated statistics and exports
- `cli/`: Command-line tool and modules
### Legacy Service URLs (If Using Web Interface)
- Frontend: http://localhost:3000
- Backend API: http://localhost:8000
- API Documentation: http://localhost:8000/docs
@ -165,27 +168,40 @@ make setup # Initial setup (creates .env from .env.example)
## Code Architecture Details
### Enhanced Backend Structure
- **main.py**: Core FastAPI application with enhanced endpoints
- **nvd_bulk_processor.py**: NVD JSON dataset downloader and processor
- **nomi_sec_client.py**: nomi-sec PoC-in-GitHub API integration
- **enhanced_sigma_generator.py**: Advanced SIGMA rule generation with PoC data
- **llm_client.py**: Multi-provider LLM integration using LangChain for AI-enhanced rule generation
- **bulk_seeder.py**: Coordinated bulk processing operations
### **CLI Structure (Primary)**
- **cli/sigma_cli.py**: Main executable CLI with Click framework
- **cli/commands/**: Modular command system
- `base_command.py`: Common functionality and file operations
- `process_commands.py`: CVE processing and bulk operations
- `generate_commands.py`: SIGMA rule generation
- `search_commands.py`: Search and filtering
- `stats_commands.py`: Statistics and reporting
- `export_commands.py`: Data export in multiple formats
- `migrate_commands.py`: Database migration tools
- **cli/config/**: Configuration management
- **cli/README.md**: Detailed CLI documentation
### Database Models (Enhanced)
- **CVE**: Enhanced with `poc_count`, `poc_data`, `bulk_processed`, `data_source`
- **SigmaRule**: Enhanced with `poc_source`, `poc_quality_score`, `nomi_sec_data`
- **RuleTemplate**: Template patterns for rule generation
- **BulkProcessingJob**: Job tracking for bulk operations
### **File-Based Storage Structure**
- **CVE Directories**: `cves/YEAR/CVE-ID/` with individual metadata and rule files
- **Rule Variants**: Multiple SIGMA files per CVE (template, LLM, hybrid)
- **Metadata Format**: JSON files with processing history and PoC data
- **Reports**: Generated statistics and export outputs
### Frontend Structure (Enhanced)
- **Three Main Tabs**: Dashboard, CVEs, SIGMA Rules
- **Enhanced Dashboard**: PoC coverage statistics, data synchronization controls
- **Enhanced CVE/Rule Display**: PoC quality indicators, exploit-based tagging
- **Task Monitoring**: Via Flower dashboard (http://localhost:5555)
### **Legacy Backend Structure (For Migration)**
- **main.py**: Core FastAPI application (maintained for migration)
- **Data Processors**: Reused by CLI for CVE fetching and analysis
- `nvd_bulk_processor.py`: NVD JSON dataset processing
- `nomi_sec_client.py`: nomi-sec PoC integration
- `enhanced_sigma_generator.py`: SIGMA rule generation
- `llm_client.py`: Multi-provider LLM integration
### Data Processing Flow
### **CLI-Based Data Processing Flow**
1. **CVE Processing**: NVD data fetch → File storage → PoC analysis → Metadata generation
2. **Rule Generation**: Template/LLM/Hybrid generation → Multiple rule variants → File storage
3. **Search & Analysis**: File-based searching → Statistics generation → Export capabilities
4. **Migration Support**: Database export → File conversion → Validation → Cleanup
### **Legacy Web Processing Flow (For Reference)**
1. **Bulk Seeding**: NVD JSON downloads → Database storage → nomi-sec PoC sync → Enhanced rule generation
2. **Incremental Updates**: NVD modified feeds → Update existing data → Sync new PoCs
3. **Rule Enhancement**: PoC analysis → Indicator extraction → Template selection → Enhanced SIGMA rule

487
README.md
View file

@ -1,252 +1,368 @@
# CVE-SIGMA Auto Generator
# CVE-SIGMA Auto Generator - CLI Edition
Automated platform that generates SIGMA detection rules from CVE data using AI-enhanced exploit analysis.
**Professional file-based SIGMA rule generation system for cybersecurity workflows**
Automated CLI tool that generates SIGMA detection rules from CVE data using AI-enhanced exploit analysis. Now optimized for git workflows and production SIGMA rule management with a file-based architecture.
## 🌟 **Major Architecture Update**
**🎉 New in v2.0**: Transformed from web application to professional CLI tool with file-based SIGMA rule management!
- **Git-Friendly**: Native YAML files perfect for version control
- **Industry Standard**: Direct integration with SIGMA ecosystems
- **Portable**: No database dependency, works anywhere
- **Scalable**: Process specific years/CVEs as needed
- **Multiple Variants**: Different generation methods per CVE
## ✨ Key Features
- **Bulk CVE Processing**: Complete NVD datasets (2002-2025) with nomi-sec PoC integration
- **AI-Powered Rule Generation**: Multi-provider LLM support (OpenAI, Anthropic, local Ollama)
- **File-Based Storage**: Organized directory structure for each CVE and rule variant
- **Quality-Based PoC Analysis**: 5-tier quality scoring system for exploit reliability
- **Real-time Monitoring**: Live job tracking and progress dashboard
- **Advanced Indicators**: Extract processes, files, network patterns from actual exploits
- **Advanced Search & Filtering**: Find CVEs and rules with complex criteria
- **Comprehensive Statistics**: Coverage reports and generation analytics
- **Export Tools**: Multiple output formats for different workflows
## 🚀 Quick Start
### Prerequisites
- Docker and Docker Compose
- Python 3.8+ with pip
- (Optional) Docker for legacy web interface
- (Optional) API keys for enhanced features
### Installation
```bash
# Clone and start
# Clone repository
git clone <repository-url>
cd auto_sigma_rule_generator
chmod +x start.sh
./start.sh
# Install CLI dependencies
pip install -r cli/requirements.txt
# Make CLI executable
chmod +x cli/sigma_cli.py
# Initialize configuration
./cli/sigma_cli.py config-init
```
**Access Points:**
- Frontend: http://localhost:3000
- API: http://localhost:8000
- API Docs: http://localhost:8000/docs
### First Run - Migration from Web App (If Applicable)
### First Run
The application automatically:
1. Initializes database with rule templates
2. Fetches recent CVEs from NVD
3. Generates SIGMA rules with AI enhancement
4. Polls for new CVEs hourly
## 🎯 Usage
### Web Interface
- **Dashboard**: Statistics and system overview
- **CVEs**: Complete CVE listing with PoC data
- **SIGMA Rules**: Generated detection rules
- **Bulk Jobs**: Processing status and controls
### API Endpoints
#### Core Operations
```bash
# Fetch CVEs
curl -X POST http://localhost:8000/api/fetch-cves
# If migrating from previous web version
./cli/sigma_cli.py migrate from-database --database-url "postgresql://user:pass@localhost:5432/db"
# Bulk processing
curl -X POST http://localhost:8000/api/bulk-seed
curl -X POST http://localhost:8000/api/incremental-update
# Validate migration
./cli/sigma_cli.py migrate validate
# LLM-enhanced rules
curl -X POST http://localhost:8000/api/llm-enhanced-rules
# Or start fresh with new CVE processing
./cli/sigma_cli.py process year 2024
```
#### Data Access
- `GET /api/cves` - List CVEs
- `GET /api/sigma-rules` - List rules
- `GET /api/stats` - Statistics
- `GET /api/llm-status` - LLM provider status
## 🎯 CLI Usage
## ⚙️ Configuration
### **Core Commands**
### Environment Variables
**Core Settings**
```bash
DATABASE_URL=postgresql://user:pass@db:5432/dbname
NVD_API_KEY=your_nvd_key # Optional: 5→50 req/30s
GITHUB_TOKEN=your_github_token # Optional: Enhanced PoC analysis
# Process CVEs and generate rules
./cli/sigma_cli.py process year 2024 # Process specific year
./cli/sigma_cli.py process cve CVE-2024-0001 # Process specific CVE
./cli/sigma_cli.py process bulk --start-year 2020 # Bulk process multiple years
./cli/sigma_cli.py process incremental --days 7 # Process recent changes
# Generate rules for existing CVEs
./cli/sigma_cli.py generate cve CVE-2024-0001 --method all # All generation methods
./cli/sigma_cli.py generate regenerate --year 2024 --method llm # Regenerate with LLM
# Search CVEs and rules
./cli/sigma_cli.py search cve "buffer overflow" --severity critical --has-poc
./cli/sigma_cli.py search rules "powershell" --method llm
# View statistics and reports
./cli/sigma_cli.py stats overview --year 2024 --output ./reports/2024-stats.json
./cli/sigma_cli.py stats poc --year 2024 # PoC coverage statistics
./cli/sigma_cli.py stats rules --method template # Rule generation statistics
# Export data
./cli/sigma_cli.py export sigma ./output-rules --format yaml --year 2024
./cli/sigma_cli.py export metadata ./reports/cve-data.csv --format csv
```
**LLM Configuration**
```bash
LLM_PROVIDER=ollama # Default: ollama (local)
LLM_MODEL=llama3.2 # Provider-specific model
OLLAMA_BASE_URL=http://ollama:11434
### **Available Generation Methods**
- `template` - Template-based rule generation
- `llm` - AI/LLM-enhanced generation (OpenAI, Anthropic, Ollama)
- `hybrid` - Combined template + LLM approach
- `all` - Generate all variants
# External providers (optional)
OPENAI_API_KEY=your_openai_key
ANTHROPIC_API_KEY=your_anthropic_key
## 📁 File Structure
The CLI organizes everything in a clean, git-friendly structure:
```
auto_sigma_rule_generator/
├── cves/ # CVE data organized by year
│ ├── 2024/
│ │ ├── CVE-2024-0001/
│ │ │ ├── metadata.json # CVE info & generation metadata
│ │ │ ├── rule_template.sigma # Template-based rule
│ │ │ ├── rule_llm_openai.sigma # OpenAI-generated rule
│ │ │ ├── rule_llm_anthropic.sigma# Anthropic-generated rule
│ │ │ ├── rule_hybrid.sigma # Hybrid-generated rule
│ │ │ └── poc_analysis.json # PoC analysis data
│ │ └── CVE-2024-0002/...
│ └── 2023/...
├── cli/ # CLI tool and commands
│ ├── sigma_cli.py # Main CLI executable
│ ├── commands/ # Command modules
│ └── README.md # Detailed CLI documentation
└── reports/ # Generated reports and exports
```
### API Keys Setup
### **File Formats**
**NVD API** (Recommended)
1. Get key: https://nvd.nist.gov/developers/request-an-api-key
2. Add to `.env`: `NVD_API_KEY=your_key`
3. Benefit: 10x rate limit increase
**metadata.json** - CVE information and processing history
```json
{
"cve_info": {
"cve_id": "CVE-2024-0001",
"description": "Remote code execution vulnerability...",
"cvss_score": 9.8,
"severity": "critical",
"published_date": "2024-01-01T00:00:00Z"
},
"poc_data": {
"poc_count": 3,
"poc_data": {"nomi_sec": [...], "github": [...]}
},
"rule_generation": {
"template": {"generated_at": "2024-01-01T12:00:00Z"},
"llm_openai": {"generated_at": "2024-01-01T12:30:00Z"}
}
}
```
**GitHub Token** (Optional)
1. Create: https://github.com/settings/tokens (public_repo scope)
2. Add to `.env`: `GITHUB_TOKEN=your_token`
3. Benefit: Enhanced exploit-based rules
**LLM APIs** (Optional)
- **Local Ollama**: No setup required (default)
- **OpenAI**: Get key from https://platform.openai.com/api-keys
- **Anthropic**: Get key from https://console.anthropic.com/
## 🧠 Rule Generation
### AI-Enhanced Generation
1. **PoC Analysis**: LLM analyzes actual exploit code
2. **Intelligent Detection**: Creates sophisticated SIGMA rules
3. **Context Awareness**: Maps CVE descriptions to detection patterns
4. **Validation**: Automatic SIGMA syntax verification
5. **Fallback**: Template-based generation if LLM unavailable
### Quality Tiers
- **Excellent** (80+ pts): High-quality PoCs with recent updates
- **Good** (60-79 pts): Moderate quality indicators
- **Fair** (40-59 pts): Basic PoCs with some validation
- **Poor** (20-39 pts): Minimal quality indicators
- **Very Poor** (<20 pts): Low-quality PoCs
### Rule Types
- 🤖 **AI-Enhanced**: LLM-generated with PoC analysis
- 🔍 **Exploit-Based**: Template + GitHub exploit indicators
- ⚡ **Basic**: CVE description only
### Example Output
**SIGMA Rule Files** - Ready-to-use detection rules
```yaml
title: CVE-2025-1234 AI-Enhanced Detection
description: Detection for CVE-2025-1234 RCE [AI-Enhanced with PoC analysis]
# rule_llm_openai.sigma
title: CVE-2024-0001 Remote Code Execution Detection
id: 12345678-1234-5678-9abc-123456789012
status: experimental
description: Detects exploitation attempts for CVE-2024-0001
author: CVE-SIGMA Auto Generator (OpenAI Enhanced)
date: 2024/01/01
references:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0001
tags:
- attack.t1059.001
- cve-2025-1234
- cve.2024.0001
- ai.enhanced
logsource:
category: process_creation
product: windows
detection:
selection_process:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- 'bypass'
selection_network:
DestinationPort: [443, 80]
condition: selection_process and selection_network
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
```
## 🛠️ Development
## ⚙️ Configuration
### Local Development
```bash
# Start dependencies
docker-compose up -d db redis ollama
### CLI Configuration (`~/.sigma-cli/config.yaml`)
# Backend
cd backend && pip install -r requirements.txt
uvicorn main:app --reload
```yaml
# API Keys for enhanced functionality
api_keys:
nvd_api_key: "your_nvd_key" # Optional: 5→50 req/30s rate limit
github_token: "your_github_token" # Optional: Enhanced PoC analysis
openai_api_key: "your_openai_key" # Optional: AI rule generation
anthropic_api_key: "your_anthropic_key" # Optional: AI rule generation
# Frontend
cd frontend && npm install && npm start
# LLM Settings
llm_settings:
default_provider: "ollama" # Default: ollama (local)
default_model: "llama3.2" # Provider-specific model
ollama_base_url: "http://localhost:11434"
# Processing Settings
processing:
default_batch_size: 50 # CVEs per batch
default_methods: ["template"] # Default generation methods
```
### Testing LLM Integration
### API Keys Setup
**NVD API Key** (Recommended)
- Get key: https://nvd.nist.gov/developers/request-an-api-key
- Benefit: 10x rate limit increase (5 → 50 requests/30s)
**GitHub Token** (Optional)
- Create: https://github.com/settings/tokens (public_repo scope)
- Benefit: Enhanced PoC analysis and exploit indicators
**LLM APIs** (Optional)
- **Local Ollama**: No setup required (default) - runs locally
- **OpenAI**: Get key from https://platform.openai.com/api-keys
- **Anthropic**: Get key from https://console.anthropic.com/
## 🧠 AI-Enhanced Rule Generation
### How It Works
1. **CVE Analysis**: Extract vulnerability details from NVD data
2. **PoC Collection**: Gather exploit code from nomi-sec, GitHub, ExploitDB
3. **Quality Assessment**: Score PoCs based on stars, recency, completeness
4. **AI Enhancement**: LLM analyzes actual exploit code to create detection logic
5. **SIGMA Generation**: Produce valid, tested SIGMA rules with proper syntax
6. **Multi-Variant Output**: Generate template, LLM, and hybrid versions
### Quality Tiers
- **Excellent** (80+ pts): High-star PoCs with recent updates, detailed analysis
- **Good** (60-79 pts): Moderate quality with some validation
- **Fair** (40-59 pts): Basic PoCs with minimal indicators
- **Poor** (20-39 pts): Low-quality or outdated PoCs
- **Very Poor** (<20 pts): Minimal or unreliable PoCs
### Rule Variants Generated
- 🤖 **AI-Enhanced** (`rule_llm_*.sigma`): LLM analysis of actual exploit code
- 🔧 **Template-Based** (`rule_template.sigma`): Pattern-based generation
- ⚡ **Hybrid** (`rule_hybrid.sigma`): Best of both approaches
## 📊 Advanced Features
### Search & Analytics
```bash
# Check Ollama
curl http://localhost:11434/api/tags
# Complex CVE searches
./cli/sigma_cli.py search cve "remote code execution" \
--year 2024 --severity critical --has-poc --has-rules --limit 50
# Test LLM status
curl http://localhost:8000/api/llm-status
# Rule analysis
./cli/sigma_cli.py search rules "powershell" \
--rule-type process --method llm --limit 20
# Switch providers
curl -X POST http://localhost:8000/api/llm-switch \
-H "Content-Type: application/json" \
-d '{"provider": "ollama", "model": "llama3.2"}'
# Comprehensive statistics
./cli/sigma_cli.py stats overview # Overall system stats
./cli/sigma_cli.py stats poc --year 2024 # PoC coverage analysis
./cli/sigma_cli.py stats rules --method llm # AI generation statistics
```
## 📊 Architecture
### Export & Integration
```bash
# Export for SIEM integration
./cli/sigma_cli.py export sigma ./siem-rules \
--format yaml --year 2024 --method llm
- **Backend**: FastAPI + SQLAlchemy ORM
- **Frontend**: React + Tailwind CSS
- **Database**: PostgreSQL with enhanced schema
- **Cache**: Redis (optional)
- **LLM**: Ollama container + multi-provider support
- **Deployment**: Docker Compose
# Metadata for analysis
./cli/sigma_cli.py export metadata ./analysis/cve-data.csv \
--format csv --year 2024
### Enhanced Database Schema
- **CVEs**: PoC metadata, bulk processing fields
- **SIGMA Rules**: Quality scoring, nomi-sec data
- **Rule Templates**: Pattern templates for generation
- **Bulk Jobs**: Job tracking and status
# Consolidated ruleset
./cli/sigma_cli.py export ruleset ./complete-rules.json \
--year 2024 --include-metadata
```
## 🛠️ Development & Legacy Support
### CLI Development
The new CLI system is built with:
- **Click**: Professional CLI framework
- **Modular Commands**: Separate modules for each command group
- **Async Processing**: Efficient handling of bulk operations
- **File-Based Storage**: Git-friendly YAML and JSON formats
### Legacy Web Interface (Optional)
The original web interface is still available for migration purposes:
```bash
# Start legacy web interface (if needed for migration)
docker-compose up -d db redis backend frontend
# Access points:
# - Frontend: http://localhost:3000
# - API: http://localhost:8000
# - Flower (Celery): http://localhost:5555
```
### Migration Path
1. **Export Data**: Use CLI migration tools to export from database
2. **Validate**: Verify all data transferred correctly
3. **Switch**: Use CLI for all new operations
4. **Cleanup**: Optionally remove web components
## 🔧 Troubleshooting
### Common Issues
**CVE Fetch Issues**
- Verify NVD API key in `.env`
- Check API connectivity: Use "Test NVD API" button
- Review logs: `docker-compose logs -f backend`
**CLI Import Errors**
- Ensure you're running from project root directory
- Install dependencies: `pip install -r cli/requirements.txt`
- Check Python version (3.8+ required)
**CVE Processing Failures**
- Verify NVD API key in configuration
- Check network connectivity and rate limits
- Use `--verbose` flag for detailed logging
**No Rules Generated**
- Ensure LLM provider is accessible
- Check `/api/llm-status` for provider health
- Verify PoC data quality in CVE details
- Ensure LLM provider is accessible (test with `./cli/sigma_cli.py stats overview`)
- Check PoC data availability with `--has-poc` filter
- Verify API keys for external LLM providers
**Performance Issues**
- Start with recent years (2020+) for faster initial setup
- Use smaller batch sizes for bulk operations
- Monitor system resources during processing
**File Permission Issues**
- Ensure write permissions to `cves/` directory
- Check CLI executable permissions: `chmod +x cli/sigma_cli.py`
**Port Conflicts**
- Default ports: 3000 (frontend), 8000 (backend), 5432 (db)
- Modify `docker-compose.yml` if ports are in use
### Performance Optimization
- Use `--batch-size` parameter for large datasets
- Process recent years first (2020+) for faster initial results
- Use `incremental` processing for regular updates
- Monitor system resources during bulk operations
### Rate Limits
- **NVD API**: 5/30s (no key) → 50/30s (with key)
- **nomi-sec API**: 1/second (built-in limiting)
- **GitHub API**: 60/hour (no token) → 5000/hour (with token)
## 🛡️ Security Best Practices
## 🛡️ Security
- Store API keys in configuration file (`~/.sigma-cli/config.yaml`)
- Validate generated rules before production deployment
- Rules marked as "experimental" require analyst review
- Use version control to track rule changes and improvements
- Regularly update PoC data sources for current threat landscape
- Store API keys in environment variables
- Validate generated rules before production deployment
- Rules marked as "experimental" - require analyst review
- Use strong database passwords in production
## 📈 Monitoring
## 📈 Monitoring & Maintenance
```bash
# View logs
docker-compose logs -f backend
docker-compose logs -f frontend
# System health checks
./cli/sigma_cli.py stats overview # Overall system status
./cli/sigma_cli.py migrate validate # Data integrity check
# Check service health
docker-compose ps
# Regular maintenance
./cli/sigma_cli.py process incremental --days 7 # Weekly updates
./cli/sigma_cli.py generate regenerate --filter-quality excellent # Refresh high-quality rules
# Monitor bulk jobs
curl http://localhost:8000/api/bulk-status
# Performance monitoring
./cli/sigma_cli.py stats rules --year 2024 # Generation statistics
./cli/sigma_cli.py stats poc --year 2024 # Coverage analysis
```
## 🗺️ Roadmap
- [ ] Custom rule template editor
**CLI Enhancements**
- [ ] Rule quality scoring and validation
- [ ] Custom template editor
- [ ] Integration with popular SIEM platforms
- [ ] Advanced MITRE ATT&CK mapping
- [ ] SIEM platform export
- [ ] ML-based rule optimization
- [ ] Threat intelligence integration
- [ ] Threat intelligence feed integration
**Export Features**
- [ ] Splunk app export format
- [ ] Elastic Stack integration
- [ ] QRadar rule format
- [ ] YARA rule generation
- [ ] IOC extraction
## 📝 License
@ -254,13 +370,34 @@ MIT License - see LICENSE file for details.
## 🤝 Contributing
1. Fork repository
2. Create feature branch
3. Add tests and documentation
4. Submit pull request
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Test with both CLI and legacy systems
4. Add tests and documentation
5. Submit a pull request
## 📞 Support
- Check troubleshooting section
- Review application logs
- Open GitHub issue for bugs/questions
**CLI Issues**
- Check `cli/README.md` for detailed CLI documentation
- Use `--verbose` flag for debugging
- Ensure proper configuration in `~/.sigma-cli/config.yaml`
**General Support**
- Review troubleshooting section above
- Check application logs with `--verbose`
- Open GitHub issue with specific error details
---
## 🎉 **What's New in v2.0**
**Complete CLI System** - Professional command-line interface
**File-Based Storage** - Git-friendly YAML and JSON files
**Multiple Rule Variants** - Template, AI, and hybrid generation
**Advanced Search** - Complex filtering and analytics
**Export Tools** - Multiple output formats for different workflows
**Migration Tools** - Seamless transition from web application
**Portable Architecture** - No database dependency, runs anywhere
**Perfect for cybersecurity teams who want production-ready SIGMA rules with version control integration! 🚀**

220
cli/README.md Normal file
View file

@ -0,0 +1,220 @@
# SIGMA CLI - CVE-SIGMA Auto Generator
A command-line interface for processing CVEs and generating SIGMA detection rules in a file-based directory structure.
## Quick Start
```bash
# Make CLI executable
chmod +x cli/sigma_cli.py
# Initialize configuration
./cli/sigma_cli.py config-init
# Migrate data from existing database (if applicable)
./cli/sigma_cli.py migrate from-database
# Process CVEs for a specific year
./cli/sigma_cli.py process year 2024
# Generate rules for a specific CVE
./cli/sigma_cli.py generate cve CVE-2024-0001
# Search CVEs
./cli/sigma_cli.py search cve "buffer overflow"
# View statistics
./cli/sigma_cli.py stats overview
# Export rules
./cli/sigma_cli.py export sigma ./output/rules
```
## Directory Structure
```
auto_sigma_rule_generator/
├── cves/
│ ├── 2024/
│ │ ├── CVE-2024-0001/
│ │ │ ├── metadata.json
│ │ │ ├── rule_template.sigma
│ │ │ ├── rule_llm_openai.sigma
│ │ │ └── poc_analysis.json
│ │ └── CVE-2024-0002/...
│ └── 2023/...
├── cli/
│ ├── sigma_cli.py (main CLI)
│ ├── commands/ (command modules)
│ └── config/ (CLI configuration)
└── reports/ (generated reports)
```
## Available Commands
### Process Commands
- `process year <year>` - Process all CVEs for a year
- `process cve <cve-id>` - Process specific CVE
- `process bulk` - Bulk process multiple years
- `process incremental` - Process recent changes
### Generate Commands
- `generate cve <cve-id>` - Generate rules for CVE
- `generate regenerate` - Regenerate existing rules
### Search Commands
- `search cve <pattern>` - Search CVEs
- `search rules <pattern>` - Search SIGMA rules
### Statistics Commands
- `stats overview` - General statistics
- `stats poc` - PoC coverage statistics
- `stats rules` - Rule generation statistics
### Export Commands
- `export sigma <dir>` - Export SIGMA rules
- `export metadata <file>` - Export CVE metadata
### Migration Commands
- `migrate from-database` - Migrate from web app database
- `migrate validate` - Validate migrated data
## Configuration
Edit `~/.sigma-cli/config.yaml` to configure API keys and settings:
```yaml
api_keys:
nvd_api_key: "your-nvd-key"
github_token: "your-github-token"
openai_api_key: "your-openai-key"
anthropic_api_key: "your-anthropic-key"
llm_settings:
default_provider: "ollama"
default_model: "llama3.2"
ollama_base_url: "http://localhost:11434"
processing:
default_batch_size: 50
default_methods: ["template"]
```
## Installation
```bash
# Install dependencies
pip install -r cli/requirements.txt
# Or if you're in a virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\\Scripts\\activate
pip install -r cli/requirements.txt
```
## Examples
### Migration from Web Application
```bash
# Migrate existing data
./cli/sigma_cli.py migrate from-database --database-url "postgresql://user:pass@localhost:5432/db"
# Validate migration
./cli/sigma_cli.py migrate validate
# Check migration statistics
./cli/sigma_cli.py stats overview
```
### Processing CVEs
```bash
# Process a specific year with multiple methods
./cli/sigma_cli.py process year 2024 --method template --method llm
# Process a specific CVE with force regeneration
./cli/sigma_cli.py process cve CVE-2024-12345 --force
# Bulk process with specific batch size
./cli/sigma_cli.py process bulk --start-year 2020 --end-year 2024 --batch-size 100
```
### Searching and Analysis
```bash
# Search for CVEs with specific patterns
./cli/sigma_cli.py search cve "remote code execution" --severity critical --has-poc
# Search SIGMA rules
./cli/sigma_cli.py search rules "powershell" --method llm
# Generate comprehensive statistics
./cli/sigma_cli.py stats overview --year 2024 --output ./reports/2024-stats.json
```
### Exporting Data
```bash
# Export all SIGMA rules as YAML
./cli/sigma_cli.py export sigma ./output/sigma-rules --format yaml
# Export CVE metadata as CSV
./cli/sigma_cli.py export metadata ./reports/cve-data.csv --format csv
# Export specific year and method
./cli/sigma_cli.py export sigma ./output/2024-llm-rules --year 2024 --method llm
```
## File Formats
### metadata.json Structure
```json
{
"cve_info": {
"cve_id": "CVE-2024-0001",
"description": "...",
"cvss_score": 9.8,
"severity": "critical"
},
"poc_data": {
"poc_count": 3,
"poc_data": {...}
},
"rule_generation": {
"template": {"generated_at": "..."},
"llm_openai": {"generated_at": "..."}
}
}
```
### SIGMA Rule Files
- `rule_template.sigma` - Template-based generation
- `rule_llm_openai.sigma` - OpenAI LLM generation
- `rule_llm_anthropic.sigma` - Anthropic LLM generation
- `rule_hybrid.sigma` - Hybrid generation method
## Development
The CLI is built using Click and follows a modular command structure:
- `sigma_cli.py` - Main CLI entry point
- `commands/base_command.py` - Base functionality
- `commands/process_commands.py` - CVE processing
- `commands/migrate_commands.py` - Database migration
- `commands/search_commands.py` - Search functionality
- `commands/stats_commands.py` - Statistics generation
- `commands/export_commands.py` - Data export
## Troubleshooting
### Common Issues
1. **Import errors**: Make sure you're running from the project root
2. **Permission errors**: Ensure directories are writable
3. **Database connection**: Check DATABASE_URL environment variable
4. **API limits**: Configure API keys for higher rate limits
### Debug Mode
```bash
# Enable verbose logging
./cli/sigma_cli.py --verbose <command>
# Check configuration
./cli/sigma_cli.py config-init
```

21
cli/commands/__init__.py Normal file
View file

@ -0,0 +1,21 @@
"""
CLI Commands Package
Contains all command implementations for the SIGMA CLI tool.
"""
from .process_commands import ProcessCommands
from .generate_commands import GenerateCommands
from .search_commands import SearchCommands
from .stats_commands import StatsCommands
from .export_commands import ExportCommands
from .migrate_commands import MigrateCommands
__all__ = [
'ProcessCommands',
'GenerateCommands',
'SearchCommands',
'StatsCommands',
'ExportCommands',
'MigrateCommands'
]

226
cli/commands/base_command.py Normal file
View file

@ -0,0 +1,226 @@
"""
Base Command Class
Provides common functionality for all CLI command classes.
"""
import json
import logging
from pathlib import Path
from datetime import datetime
from typing import Dict, List, Optional, Any
import yaml
logger = logging.getLogger(__name__)
class BaseCommand:
"""Base class for all CLI commands"""
def __init__(self, config):
self.config = config
self.logger = logger
def get_cve_directory(self, cve_id: str) -> Path:
"""Get the directory path for a specific CVE"""
year = cve_id.split('-')[1] # Extract year from CVE-YYYY-NNNN
return self.config.cves_dir / year / cve_id
def ensure_cve_directory(self, cve_id: str) -> Path:
"""Ensure CVE directory exists and return its path"""
cve_dir = self.get_cve_directory(cve_id)
cve_dir.mkdir(parents=True, exist_ok=True)
return cve_dir
def load_cve_metadata(self, cve_id: str) -> Optional[Dict]:
"""Load metadata for a specific CVE"""
cve_dir = self.get_cve_directory(cve_id)
metadata_file = cve_dir / "metadata.json"
if not metadata_file.exists():
return None
try:
with open(metadata_file, 'r') as f:
return json.load(f)
except Exception as e:
self.logger.error(f"Error loading metadata for {cve_id}: {e}")
return None
def save_cve_metadata(self, cve_id: str, metadata: Dict) -> bool:
"""Save metadata for a specific CVE"""
cve_dir = self.ensure_cve_directory(cve_id)
metadata_file = cve_dir / "metadata.json"
# Update timestamps
if 'updated_at' not in metadata:
metadata['updated_at'] = datetime.utcnow().isoformat()
try:
with open(metadata_file, 'w') as f:
json.dump(metadata, f, indent=2, default=str)
return True
except Exception as e:
self.logger.error(f"Error saving metadata for {cve_id}: {e}")
return False
def list_cve_rules(self, cve_id: str) -> List[str]:
"""List all SIGMA rule files for a CVE"""
cve_dir = self.get_cve_directory(cve_id)
if not cve_dir.exists():
return []
rule_files = []
for file in cve_dir.glob("rule_*.sigma"):
rule_files.append(file.name)
return sorted(rule_files)
def load_sigma_rule(self, cve_id: str, rule_file: str) -> Optional[str]:
"""Load a specific SIGMA rule file content"""
cve_dir = self.get_cve_directory(cve_id)
rule_path = cve_dir / rule_file
if not rule_path.exists():
return None
try:
with open(rule_path, 'r') as f:
return f.read()
except Exception as e:
self.logger.error(f"Error loading rule {rule_file} for {cve_id}: {e}")
return None
def save_sigma_rule(self, cve_id: str, rule_file: str, content: str) -> bool:
"""Save a SIGMA rule file"""
cve_dir = self.ensure_cve_directory(cve_id)
rule_path = cve_dir / rule_file
try:
with open(rule_path, 'w') as f:
f.write(content)
# Update metadata to track this rule file
metadata = self.load_cve_metadata(cve_id) or {}
if 'file_manifest' not in metadata:
metadata['file_manifest'] = []
if rule_file not in metadata['file_manifest']:
metadata['file_manifest'].append(rule_file)
# Update rule generation info
if 'rule_generation' not in metadata:
metadata['rule_generation'] = {}
method = rule_file.replace('rule_', '').replace('.sigma', '')
metadata['rule_generation'][method] = {
'generated_at': datetime.utcnow().isoformat(),
'file': rule_file
}
self.save_cve_metadata(cve_id, metadata)
return True
except Exception as e:
self.logger.error(f"Error saving rule {rule_file} for {cve_id}: {e}")
return False
def get_all_cves(self, year: Optional[int] = None) -> List[str]:
"""Get list of all CVEs, optionally filtered by year"""
cves = []
if year:
year_dir = self.config.cves_dir / str(year)
if year_dir.exists():
for cve_dir in year_dir.iterdir():
if cve_dir.is_dir() and cve_dir.name.startswith('CVE-'):
cves.append(cve_dir.name)
else:
# Get all CVEs across all years
for year_dir in self.config.cves_dir.iterdir():
if year_dir.is_dir() and year_dir.name.isdigit():
for cve_dir in year_dir.iterdir():
if cve_dir.is_dir() and cve_dir.name.startswith('CVE-'):
cves.append(cve_dir.name)
return sorted(cves)
def get_years_with_data(self) -> List[int]:
"""Get list of years that have CVE data"""
years = []
for year_dir in self.config.cves_dir.iterdir():
if year_dir.is_dir() and year_dir.name.isdigit():
# Check if year directory has any CVE subdirectories
has_cves = any(
cve_dir.is_dir() and cve_dir.name.startswith('CVE-')
for cve_dir in year_dir.iterdir()
)
if has_cves:
years.append(int(year_dir.name))
return sorted(years)
def validate_cve_id(self, cve_id: str) -> bool:
"""Validate CVE ID format"""
import re
pattern = r'^CVE-\d{4}-\d{4,}$'
return bool(re.match(pattern, cve_id))
def print_table(self, headers: List[str], rows: List[List[str]], title: Optional[str] = None):
"""Print a formatted table"""
import click
if title:
click.echo(f"\n{title}")
click.echo("=" * len(title))
if not rows:
click.echo("No data found.")
return
# Calculate column widths
widths = [len(h) for h in headers]
for row in rows:
for i, cell in enumerate(row):
if i < len(widths):
widths[i] = max(widths[i], len(str(cell)))
# Print headers
header_line = " | ".join(h.ljust(w) for h, w in zip(headers, widths))
click.echo(header_line)
click.echo("-" * len(header_line))
# Print rows
for row in rows:
row_line = " | ".join(str(cell).ljust(w) for cell, w in zip(row, widths))
click.echo(row_line)
def format_json_output(self, data: Any, pretty: bool = True) -> str:
"""Format data as JSON"""
if pretty:
return json.dumps(data, indent=2, default=str)
else:
return json.dumps(data, default=str)
def format_yaml_output(self, data: Any) -> str:
"""Format data as YAML"""
return yaml.dump(data, default_flow_style=False)
def success(self, message: str):
"""Print success message"""
import click
click.echo(click.style(f"{message}", fg='green'))
def error(self, message: str):
"""Print error message"""
import click
click.echo(click.style(f"{message}", fg='red'), err=True)
def warning(self, message: str):
"""Print warning message"""
import click
click.echo(click.style(f"{message}", fg='yellow'))
def info(self, message: str):
"""Print info message"""
import click
click.echo(click.style(f" {message}", fg='blue'))

282
cli/commands/export_commands.py Normal file
View file

@ -0,0 +1,282 @@
"""
Export Commands
Commands for exporting SIGMA rules and CVE data in various formats.
"""
import json
import csv
import shutil
from pathlib import Path
from typing import Dict, List, Optional
from .base_command import BaseCommand
class ExportCommands(BaseCommand):
"""Commands for exporting data"""
async def export_sigma_rules(self, output_dir: str, year: Optional[int],
format_type: str, method: Optional[str]):
"""Export SIGMA rules to a directory"""
output_path = Path(output_dir)
output_path.mkdir(parents=True, exist_ok=True)
self.info(f"Exporting SIGMA rules to: {output_path}")
self.info(f"Format: {format_type}")
if year:
self.info(f"Filtering by year: {year}")
if method:
self.info(f"Filtering by method: {method}")
# Get CVEs to export
cves = self.get_all_cves(year)
if not cves:
self.warning("No CVEs found to export")
return
exported_count = 0
skipped_count = 0
for cve_id in cves:
try:
rules = self.list_cve_rules(cve_id)
if method:
# Filter rules by method
rules = [r for r in rules if method.lower() in r.lower()]
if not rules:
skipped_count += 1
continue
# Create CVE directory in export location
cve_export_dir = output_path / cve_id
cve_export_dir.mkdir(exist_ok=True)
for rule_file in rules:
rule_content = self.load_sigma_rule(cve_id, rule_file)
if not rule_content:
continue
if format_type == 'yaml':
# Export as YAML (original format)
export_file = cve_export_dir / rule_file
with open(export_file, 'w') as f:
f.write(rule_content)
elif format_type == 'json':
# Convert YAML to JSON (basic conversion)
try:
import yaml
rule_dict = yaml.safe_load(rule_content)
export_file = cve_export_dir / rule_file.replace('.sigma', '.json')
with open(export_file, 'w') as f:
json.dump(rule_dict, f, indent=2)
except Exception as e:
self.error(f"Error converting {rule_file} to JSON: {e}")
continue
exported_count += 1
# Export metadata for context
metadata = self.load_cve_metadata(cve_id)
if metadata:
metadata_file = cve_export_dir / "metadata.json"
with open(metadata_file, 'w') as f:
json.dump(metadata, f, indent=2, default=str)
if exported_count % 50 == 0:
self.info(f"Exported {exported_count} rules...")
except Exception as e:
self.error(f"Error exporting rules for {cve_id}: {e}")
skipped_count += 1
self.success(f"Export completed!")
self.success(f"Exported {exported_count} rules from {len(cves) - skipped_count} CVEs")
self.success(f"Skipped {skipped_count} CVEs (no matching rules)")
async def export_metadata(self, output_file: str, year: Optional[int], format_type: str):
"""Export CVE metadata"""
output_path = Path(output_file)
output_path.parent.mkdir(parents=True, exist_ok=True)
self.info(f"Exporting CVE metadata to: {output_path}")
self.info(f"Format: {format_type}")
if year:
self.info(f"Filtering by year: {year}")
# Get CVEs to export
cves = self.get_all_cves(year)
if not cves:
self.warning("No CVEs found to export")
return
metadata_list = []
for cve_id in cves:
try:
metadata = self.load_cve_metadata(cve_id)
if not metadata:
continue
# Flatten metadata for export
export_record = self._flatten_metadata(metadata)
export_record['rules_count'] = len(self.list_cve_rules(cve_id))
metadata_list.append(export_record)
except Exception as e:
self.error(f"Error processing metadata for {cve_id}: {e}")
if not metadata_list:
self.warning("No metadata found to export")
return
# Export in requested format
try:
if format_type == 'json':
with open(output_path, 'w') as f:
json.dump(metadata_list, f, indent=2, default=str)
elif format_type == 'csv':
if metadata_list:
fieldnames = metadata_list[0].keys()
with open(output_path, 'w', newline='') as f:
writer = csv.DictWriter(f, fieldnames=fieldnames)
writer.writeheader()
writer.writerows(metadata_list)
self.success(f"Exported metadata for {len(metadata_list)} CVEs")
except Exception as e:
self.error(f"Error writing export file: {e}")
def _flatten_metadata(self, metadata: Dict) -> Dict:
"""Flatten nested metadata structure for export"""
flattened = {}
# CVE info fields
cve_info = metadata.get('cve_info', {})
flattened.update({
'cve_id': cve_info.get('cve_id'),
'description': cve_info.get('description'),
'cvss_score': cve_info.get('cvss_score'),
'severity': cve_info.get('severity'),
'published_date': cve_info.get('published_date'),
'modified_date': cve_info.get('modified_date'),
'affected_products_count': len(cve_info.get('affected_products', [])),
'reference_urls_count': len(cve_info.get('reference_urls', []))
})
# PoC data fields
poc_data = metadata.get('poc_data', {})
flattened.update({
'poc_count': poc_data.get('poc_count', 0),
'has_nomi_sec_pocs': bool(poc_data.get('poc_data', {}).get('nomi_sec')),
'has_github_pocs': bool(poc_data.get('poc_data', {}).get('github')),
'has_exploitdb_pocs': bool(poc_data.get('poc_data', {}).get('exploitdb'))
})
# Processing fields
processing = metadata.get('processing', {})
flattened.update({
'data_source': processing.get('data_source'),
'bulk_processed': processing.get('bulk_processed', False),
'reference_sync_status': processing.get('reference_sync_status')
})
# Rule generation fields
rule_generation = metadata.get('rule_generation', {})
generation_methods = list(rule_generation.keys())
flattened.update({
'generation_methods': ','.join(generation_methods),
'generation_methods_count': len(generation_methods),
'has_template_rule': 'template' in generation_methods,
'has_llm_rule': any('llm' in method for method in generation_methods),
'has_hybrid_rule': 'hybrid' in generation_methods
})
# Timestamps
flattened.update({
'created_at': metadata.get('created_at'),
'updated_at': metadata.get('updated_at'),
'migrated_at': metadata.get('migrated_at')
})
return flattened
async def export_ruleset(self, output_file: str, year: Optional[int],
method: Optional[str], include_metadata: bool = True):
"""Export consolidated ruleset file"""
output_path = Path(output_file)
output_path.parent.mkdir(parents=True, exist_ok=True)
self.info(f"Creating consolidated ruleset: {output_path}")
if year:
self.info(f"Including year: {year}")
if method:
self.info(f"Including method: {method}")
# Get CVEs and collect rules
cves = self.get_all_cves(year)
ruleset = {
'metadata': {
'generated_at': self.format_json_output({"timestamp": "now"})[:19] + 'Z',
'filter_year': year,
'filter_method': method,
'total_cves': len(cves),
'generator': 'CVE-SIGMA Auto Generator CLI'
},
'rules': []
}
rule_count = 0
for cve_id in cves:
try:
rules = self.list_cve_rules(cve_id)
if method:
rules = [r for r in rules if method.lower() in r.lower()]
for rule_file in rules:
rule_content = self.load_sigma_rule(cve_id, rule_file)
if not rule_content:
continue
rule_entry = {
'cve_id': cve_id,
'rule_file': rule_file,
'content': rule_content
}
if include_metadata:
metadata = self.load_cve_metadata(cve_id)
if metadata:
rule_entry['cve_metadata'] = {
'severity': metadata.get('cve_info', {}).get('severity'),
'cvss_score': metadata.get('cve_info', {}).get('cvss_score'),
'poc_count': metadata.get('poc_data', {}).get('poc_count', 0)
}
ruleset['rules'].append(rule_entry)
rule_count += 1
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
# Update metadata with actual counts
ruleset['metadata']['total_rules'] = rule_count
# Save ruleset
try:
with open(output_path, 'w') as f:
json.dump(ruleset, f, indent=2, default=str)
self.success(f"Created consolidated ruleset with {rule_count} rules")
except Exception as e:
self.error(f"Error creating ruleset file: {e}")

116
cli/commands/generate_commands.py Normal file
View file

@ -0,0 +1,116 @@
"""
Generate Commands
Commands for generating SIGMA rules for existing CVEs.
"""
import asyncio
from typing import Dict, List, Optional
from .base_command import BaseCommand
from .process_commands import ProcessCommands
class GenerateCommands(BaseCommand):
"""Commands for generating SIGMA rules"""
def __init__(self, config):
super().__init__(config)
self.process_commands = ProcessCommands(config)
async def generate_cve(self, cve_id: str, method: str, provider: Optional[str], model: Optional[str], force: bool):
"""Generate SIGMA rules for a specific CVE"""
if not self.validate_cve_id(cve_id):
self.error(f"Invalid CVE ID format: {cve_id}")
return
# Check if CVE exists
metadata = self.load_cve_metadata(cve_id)
if not metadata:
self.error(f"CVE {cve_id} not found. Run 'sigma-cli process cve {cve_id}' first to fetch data.")
return
self.info(f"Generating rules for {cve_id} using method: {method}")
if provider:
self.info(f"Using LLM provider: {provider}")
if model:
self.info(f"Using model: {model}")
# Use the process command logic
methods = [method] if method != 'all' else ['template', 'llm', 'hybrid']
success = await self.process_commands._process_single_cve(cve_id, methods, force)
if success:
rules = self.list_cve_rules(cve_id)
self.success(f"Generated {len(rules)} rules for {cve_id}")
for rule in rules:
self.info(f" - {rule}")
else:
self.error(f"Failed to generate rules for {cve_id}")
async def regenerate_rules(self, year: Optional[int], method: str, filter_quality: Optional[str]):
"""Regenerate existing SIGMA rules"""
self.info(f"Regenerating rules with method: {method}")
if year:
self.info(f"Filtering by year: {year}")
if filter_quality:
self.info(f"Filtering by quality: {filter_quality}")
# Get CVEs to regenerate
cves_to_process = []
if year:
cves = self.get_all_cves(year)
else:
cves = self.get_all_cves()
# Filter by quality if specified
for cve_id in cves:
if filter_quality:
metadata = self.load_cve_metadata(cve_id)
if metadata:
poc_data = metadata.get('poc_data', {})
# Simple quality filter based on PoC count
poc_count = poc_data.get('poc_count', 0)
quality_meets_filter = False
if filter_quality == 'excellent' and poc_count >= 5:
quality_meets_filter = True
elif filter_quality == 'good' and poc_count >= 3:
quality_meets_filter = True
elif filter_quality == 'fair' and poc_count >= 1:
quality_meets_filter = True
if quality_meets_filter:
cves_to_process.append(cve_id)
else:
cves_to_process.append(cve_id)
if not cves_to_process:
self.warning("No CVEs found matching the criteria")
return
self.info(f"Will regenerate rules for {len(cves_to_process)} CVEs")
# Regenerate rules
methods = [method] if method != 'all' else ['template', 'llm', 'hybrid']
processed = 0
failed = 0
for cve_id in cves_to_process:
try:
success = await self.process_commands._process_single_cve(cve_id, methods, True) # Force=True
if success:
processed += 1
else:
failed += 1
if (processed + failed) % 10 == 0:
self.info(f"Regenerated {processed + failed}/{len(cves_to_process)} CVEs...")
except Exception as e:
self.error(f"Error regenerating {cve_id}: {e}")
failed += 1
self.success(f"Regeneration completed!")
self.success(f"Processed: {processed}, Failed: {failed}")

379
cli/commands/migrate_commands.py Normal file
View file

@ -0,0 +1,379 @@
"""
Migration Commands
Commands for migrating data from the existing web application database
to the new file-based directory structure.
"""
import asyncio
import json
import os
import sys
from datetime import datetime
from pathlib import Path
from typing import Dict, List, Optional, Any
import click
# Import the base command class
from .base_command import BaseCommand
# Import database models from the existing backend
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', '..', 'backend'))
class MigrateCommands(BaseCommand):
"""Commands for migrating from database to file structure"""
async def migrate_from_database(self, database_url: Optional[str], batch_size: int, dry_run: bool):
"""Migrate data from existing database to file structure"""
try:
# Import database components
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
from main import CVE, SigmaRule, RuleTemplate # Import from existing main.py
# Use provided database URL or default
if not database_url:
database_url = os.getenv("DATABASE_URL", "postgresql://cve_user:cve_password@localhost:5432/cve_sigma_db")
self.info(f"Connecting to database: {database_url.split('@')[1] if '@' in database_url else database_url}")
# Create database session
engine = create_engine(database_url)
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
db = SessionLocal()
# Get total counts
cve_count = db.query(CVE).count()
rule_count = db.query(SigmaRule).count()
template_count = db.query(RuleTemplate).count()
self.info(f"Found {cve_count} CVEs, {rule_count} SIGMA rules, {template_count} templates")
if dry_run:
self.warning("DRY RUN MODE - No files will be created")
# Show what would be migrated
sample_cves = db.query(CVE).limit(5).all()
for cve in sample_cves:
cve_dir = self.get_cve_directory(cve.cve_id)
self.info(f"Would create: {cve_dir}")
# Count rules for this CVE
rules = db.query(SigmaRule).filter(SigmaRule.cve_id == cve.cve_id).all()
self.info(f" - Would migrate {len(rules)} SIGMA rules")
return
# Migrate CVEs and rules
migrated_cves = 0
migrated_rules = 0
# Process CVEs in batches
offset = 0
while offset < cve_count:
batch_cves = db.query(CVE).offset(offset).limit(batch_size).all()
for cve in batch_cves:
try:
await self._migrate_cve(db, cve)
migrated_cves += 1
# Migrate associated rules
rules = db.query(SigmaRule).filter(SigmaRule.cve_id == cve.cve_id).all()
for rule in rules:
if await self._migrate_sigma_rule(cve.cve_id, rule):
migrated_rules += 1
if migrated_cves % 10 == 0:
self.info(f"Migrated {migrated_cves}/{cve_count} CVEs...")
except Exception as e:
self.error(f"Error migrating {cve.cve_id}: {e}")
offset += batch_size
# Migrate templates to new location
template_dir = self.config.base_dir / "backend" / "templates"
template_dir.mkdir(exist_ok=True)
templates = db.query(RuleTemplate).all()
for template in templates:
template_file = template_dir / f"{template.template_name.lower().replace(' ', '_')}.yaml"
if not template_file.exists():
try:
with open(template_file, 'w') as f:
f.write(template.template_content)
self.info(f"Migrated template: {template.template_name}")
except Exception as e:
self.error(f"Error migrating template {template.template_name}: {e}")
db.close()
self.success(f"Migration completed!")
self.success(f"Migrated {migrated_cves} CVEs and {migrated_rules} SIGMA rules")
except ImportError as e:
self.error(f"Could not import database models: {e}")
self.error("Make sure you're running from the project root directory")
except Exception as e:
self.error(f"Migration failed: {e}")
import traceback
traceback.print_exc()
async def _migrate_cve(self, db, cve) -> bool:
"""Migrate a single CVE to file structure"""
try:
# Create CVE metadata
metadata = {
"cve_info": {
"cve_id": cve.cve_id,
"description": cve.description,
"cvss_score": float(cve.cvss_score) if cve.cvss_score else None,
"severity": cve.severity,
"published_date": cve.published_date.isoformat() if cve.published_date else None,
"modified_date": cve.modified_date.isoformat() if cve.modified_date else None,
"affected_products": cve.affected_products or [],
"reference_urls": cve.reference_urls or []
},
"poc_data": {
"poc_count": getattr(cve, 'poc_count', 0),
"poc_data": getattr(cve, 'poc_data', {}),
"nomi_sec_data": getattr(cve, 'poc_data', {}).get('nomi_sec', []) if getattr(cve, 'poc_data', {}) else [],
"github_pocs": getattr(cve, 'poc_data', {}).get('github', []) if getattr(cve, 'poc_data', {}) else []
},
"processing": {
"data_source": getattr(cve, 'data_source', 'nvd_api'),
"bulk_processed": getattr(cve, 'bulk_processed', False),
"reference_sync_status": getattr(cve, 'reference_sync_status', 'pending')
},
"file_manifest": [],
"rule_generation": {},
"created_at": cve.created_at.isoformat() if cve.created_at else datetime.utcnow().isoformat(),
"updated_at": datetime.utcnow().isoformat(),
"migrated_at": datetime.utcnow().isoformat()
}
# Save PoC analysis if available
if hasattr(cve, 'poc_data') and cve.poc_data:
cve_dir = self.ensure_cve_directory(cve.cve_id)
poc_analysis_file = cve_dir / "poc_analysis.json"
with open(poc_analysis_file, 'w') as f:
json.dump(cve.poc_data, f, indent=2, default=str)
metadata["file_manifest"].append("poc_analysis.json")
# Save metadata
return self.save_cve_metadata(cve.cve_id, metadata)
except Exception as e:
self.error(f"Error migrating CVE {cve.cve_id}: {e}")
return False
async def _migrate_sigma_rule(self, cve_id: str, rule) -> bool:
"""Migrate a single SIGMA rule to file structure"""
try:
# Determine rule filename based on generation method/source
if hasattr(rule, 'poc_source') and rule.poc_source:
if 'llm' in rule.poc_source.lower() or 'openai' in rule.poc_source.lower():
filename = "rule_llm_openai.sigma"
elif 'anthropic' in rule.poc_source.lower():
filename = "rule_llm_anthropic.sigma"
elif 'hybrid' in rule.poc_source.lower():
filename = "rule_hybrid.sigma"
else:
filename = "rule_template.sigma"
else:
# Default to template-based
filename = "rule_template.sigma"
# Check if we already have a rule with this name, if so append a suffix
existing_rules = self.list_cve_rules(cve_id)
if filename in existing_rules:
base_name = filename.replace('.sigma', '')
counter = 1
while f"{base_name}_{counter}.sigma" in existing_rules:
counter += 1
filename = f"{base_name}_{counter}.sigma"
# Save the rule content
if self.save_sigma_rule(cve_id, filename, rule.rule_content):
# Update metadata with additional rule information
metadata = self.load_cve_metadata(cve_id)
if metadata:
rule_info = {
"rule_name": rule.rule_name,
"detection_type": getattr(rule, 'detection_type', ''),
"log_source": getattr(rule, 'log_source', ''),
"confidence_level": getattr(rule, 'confidence_level', ''),
"auto_generated": getattr(rule, 'auto_generated', True),
"exploit_based": getattr(rule, 'exploit_based', False),
"poc_source": getattr(rule, 'poc_source', 'template'),
"poc_quality_score": getattr(rule, 'poc_quality_score', 0),
"github_repos": getattr(rule, 'github_repos', []),
"created_at": rule.created_at.isoformat() if rule.created_at else None,
"migrated_at": datetime.utcnow().isoformat()
}
method_key = filename.replace('rule_', '').replace('.sigma', '')
if 'rule_generation' not in metadata:
metadata['rule_generation'] = {}
metadata['rule_generation'][method_key] = rule_info
self.save_cve_metadata(cve_id, metadata)
return True
except Exception as e:
self.error(f"Error migrating rule for {cve_id}: {e}")
return False
return False
async def validate_migration(self, year: Optional[int] = None):
"""Validate migrated data integrity"""
self.info("Validating migrated data...")
issues = []
validated_cves = 0
validated_rules = 0
# Get CVEs to validate
cves_to_check = self.get_all_cves(year)
for cve_id in cves_to_check:
try:
# Check if metadata exists and is valid
metadata = self.load_cve_metadata(cve_id)
if not metadata:
issues.append(f"{cve_id}: Missing metadata.json")
continue
# Validate required metadata fields
required_fields = ['cve_info', 'poc_data', 'processing']
for field in required_fields:
if field not in metadata:
issues.append(f"{cve_id}: Missing metadata field '{field}'")
# Validate CVE info
if 'cve_info' in metadata:
cve_info = metadata['cve_info']
if not cve_info.get('cve_id'):
issues.append(f"{cve_id}: Missing cve_id in metadata")
elif cve_info['cve_id'] != cve_id:
issues.append(f"{cve_id}: CVE ID mismatch in metadata")
# Validate file manifest
file_manifest = metadata.get('file_manifest', [])
cve_dir = self.get_cve_directory(cve_id)
for file_name in file_manifest:
file_path = cve_dir / file_name
if not file_path.exists():
issues.append(f"{cve_id}: Referenced file '{file_name}' does not exist")
# Check for SIGMA rule files
rule_files = self.list_cve_rules(cve_id)
for rule_file in rule_files:
rule_content = self.load_sigma_rule(cve_id, rule_file)
if not rule_content:
issues.append(f"{cve_id}: Could not load rule file '{rule_file}'")
elif not rule_content.strip():
issues.append(f"{cve_id}: Empty rule file '{rule_file}'")
else:
# Basic YAML validation for SIGMA rules
if not rule_content.strip().startswith('title:'):
issues.append(f"{cve_id}: Rule '{rule_file}' doesn't appear to be valid SIGMA format")
validated_rules += 1
validated_cves += 1
if validated_cves % 100 == 0:
self.info(f"Validated {validated_cves} CVEs...")
except Exception as e:
issues.append(f"{cve_id}: Validation error - {e}")
# Print validation results
self.info(f"\nValidation completed:")
self.info(f"- Validated {validated_cves} CVEs")
self.info(f"- Validated {validated_rules} SIGMA rules")
if issues:
self.warning(f"Found {len(issues)} validation issues:")
for issue in issues[:20]: # Show first 20 issues
self.error(f" {issue}")
if len(issues) > 20:
self.warning(f" ... and {len(issues) - 20} more issues")
else:
self.success("No validation issues found!")
async def cleanup_migration(self):
"""Clean up migration artifacts and temporary files"""
self.info("Cleaning up migration artifacts...")
# Remove empty directories
for year_dir in self.config.cves_dir.iterdir():
if year_dir.is_dir():
for cve_dir in year_dir.iterdir():
if cve_dir.is_dir():
# Check if directory is empty
if not any(cve_dir.iterdir()):
cve_dir.rmdir()
self.info(f"Removed empty directory: {cve_dir}")
# Check if year directory is now empty
if not any(year_dir.iterdir()):
year_dir.rmdir()
self.info(f"Removed empty year directory: {year_dir}")
self.success("Cleanup completed!")
async def migration_stats(self):
"""Show migration statistics"""
self.info("Migration Statistics:")
years = self.get_years_with_data()
total_cves = 0
total_rules = 0
stats_by_year = {}
for year in years:
cves = self.get_all_cves(year)
year_cves = len(cves)
year_rules = 0
for cve_id in cves:
rules = self.list_cve_rules(cve_id)
year_rules += len(rules)
stats_by_year[year] = {
'cves': year_cves,
'rules': year_rules
}
total_cves += year_cves
total_rules += year_rules
# Print statistics table
headers = ["Year", "CVEs", "Rules", "Avg Rules/CVE"]
rows = []
for year in sorted(years):
stats = stats_by_year[year]
avg_rules = stats['rules'] / stats['cves'] if stats['cves'] > 0 else 0
rows.append([
str(year),
str(stats['cves']),
str(stats['rules']),
f"{avg_rules:.1f}"
])
# Add totals
avg_total = total_rules / total_cves if total_cves > 0 else 0
rows.append(["TOTAL", str(total_cves), str(total_rules), f"{avg_total:.1f}"])
self.print_table(headers, rows, "Migration Statistics by Year")

499
cli/commands/process_commands.py Normal file
View file

@ -0,0 +1,499 @@
"""
Process Commands
Commands for processing CVEs and generating SIGMA rules in the file-based system.
"""
import asyncio
import json
import os
import sys
from datetime import datetime, timedelta
from pathlib import Path
from typing import Dict, List, Optional, Any, Tuple
import click
# Import the base command class
from .base_command import BaseCommand
# Import processing components from the existing backend
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', '..', 'backend'))
class ProcessCommands(BaseCommand):
"""Commands for processing CVEs and generating rules"""
def __init__(self, config):
super().__init__(config)
self._initialize_processors()
def _initialize_processors(self):
"""Initialize the processing components"""
try:
# Import core processing modules
from nvd_bulk_processor import NVDBulkProcessor
from nomi_sec_client import NomiSecClient
from enhanced_sigma_generator import EnhancedSigmaGenerator
from poc_analyzer import PoCAnalyzer
from yaml_metadata_generator import YAMLMetadataGenerator
# Create processors (will be initialized per operation due to session requirements)
self.nvd_processor_class = NVDBulkProcessor
self.nomi_sec_client_class = NomiSecClient
self.sigma_generator_class = EnhancedSigmaGenerator
self.poc_analyzer = PoCAnalyzer()
self.yaml_generator_class = YAMLMetadataGenerator
except ImportError as e:
self.error(f"Could not import processing modules: {e}")
self.error("Make sure you're running from the project root directory")
sys.exit(1)
async def process_year(self, year: int, methods: List[str], force: bool, batch_size: int):
"""Process all CVEs for a specific year"""
self.info(f"Processing CVEs for year {year}")
self.info(f"Methods: {', '.join(methods)}")
self.info(f"Batch size: {batch_size}")
if force:
self.warning("Force mode enabled - will regenerate existing rules")
try:
# First, fetch/update CVE data for the year
await self._fetch_cve_data_for_year(year, batch_size)
# Get all CVEs for the year
cves = self.get_all_cves(year)
if not cves:
self.warning(f"No CVEs found for year {year}")
return
self.info(f"Found {len(cves)} CVEs for {year}")
# Process in batches
processed = 0
failed = 0
for i in range(0, len(cves), batch_size):
batch = cves[i:i+batch_size]
for cve_id in batch:
try:
success = await self._process_single_cve(cve_id, methods, force)
if success:
processed += 1
else:
failed += 1
if (processed + failed) % 10 == 0:
self.info(f"Processed {processed + failed}/{len(cves)} CVEs...")
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
failed += 1
# Small delay between batches
await asyncio.sleep(1)
self.success(f"Year {year} processing completed!")
self.success(f"Processed: {processed}, Failed: {failed}")
except Exception as e:
self.error(f"Error processing year {year}: {e}")
import traceback
traceback.print_exc()
async def process_cve(self, cve_id: str, methods: List[str], force: bool):
"""Process a specific CVE"""
if not self.validate_cve_id(cve_id):
self.error(f"Invalid CVE ID format: {cve_id}")
return
self.info(f"Processing CVE: {cve_id}")
self.info(f"Methods: {', '.join(methods)}")
try:
# First ensure we have the CVE data
year = int(cve_id.split('-')[1])
await self._fetch_specific_cve_data(cve_id, year)
# Process the CVE
success = await self._process_single_cve(cve_id, methods, force)
if success:
self.success(f"Successfully processed {cve_id}")
else:
self.error(f"Failed to process {cve_id}")
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
import traceback
traceback.print_exc()
async def process_bulk(self, start_year: int, end_year: int, methods: List[str], batch_size: int):
"""Bulk process CVEs across multiple years"""
self.info(f"Bulk processing CVEs from {start_year} to {end_year}")
self.info(f"Methods: {', '.join(methods)}")
total_processed = 0
total_failed = 0
for year in range(start_year, end_year + 1):
try:
self.info(f"\n--- Processing Year {year} ---")
year_start_processed = total_processed
await self.process_year(year, methods, False, batch_size)
# Update totals (approximate, since process_year doesn't return counts)
cves_in_year = len(self.get_all_cves(year))
total_processed += cves_in_year
except Exception as e:
self.error(f"Error processing year {year}: {e}")
total_failed += 1
self.success(f"\nBulk processing completed!")
self.success(f"Years processed: {end_year - start_year + 1}")
self.success(f"Approximate CVEs processed: {total_processed}")
async def process_incremental(self, days: int, methods: List[str]):
"""Process recently modified CVEs"""
self.info(f"Processing CVEs modified in the last {days} days")
cutoff_date = datetime.utcnow() - timedelta(days=days)
self.info(f"Cutoff date: {cutoff_date.isoformat()}")
# Find CVEs modified since cutoff date
recent_cves = []
for cve_id in self.get_all_cves():
metadata = self.load_cve_metadata(cve_id)
if metadata and 'cve_info' in metadata:
modified_date_str = metadata['cve_info'].get('modified_date')
if modified_date_str:
try:
modified_date = datetime.fromisoformat(modified_date_str.replace('Z', '+00:00'))
if modified_date >= cutoff_date:
recent_cves.append(cve_id)
except (ValueError, TypeError):
pass # Skip if date parsing fails
if not recent_cves:
self.warning("No recently modified CVEs found")
return
self.info(f"Found {len(recent_cves)} recently modified CVEs")
processed = 0
failed = 0
for cve_id in recent_cves:
try:
success = await self._process_single_cve(cve_id, methods, False)
if success:
processed += 1
else:
failed += 1
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
failed += 1
self.success(f"Incremental processing completed!")
self.success(f"Processed: {processed}, Failed: {failed}")
async def _fetch_cve_data_for_year(self, year: int, batch_size: int):
"""Fetch CVE data for a specific year from NVD"""
self.info(f"Fetching CVE data for year {year}...")
try:
# Use the existing NVD bulk processor
from main import SessionLocal # Import session factory
db_session = SessionLocal()
try:
processor = self.nvd_processor_class(db_session)
# Download and process NVD data for the year
result = await processor.download_and_process_year(year)
if result.get('success'):
self.info(f"Successfully fetched {result.get('processed_cves', 0)} CVEs for {year}")
# Convert database records to file structure
await self._sync_database_to_files(db_session, year)
else:
self.warning(f"Issues fetching CVE data for {year}: {result.get('error', 'Unknown error')}")
finally:
db_session.close()
except Exception as e:
self.error(f"Error fetching CVE data for year {year}: {e}")
async def _fetch_specific_cve_data(self, cve_id: str, year: int):
"""Fetch data for a specific CVE"""
# Check if we already have metadata for this CVE
existing_metadata = self.load_cve_metadata(cve_id)
if existing_metadata:
return # Already have the data
# Fetch from NVD if not already present
self.info(f"Fetching data for {cve_id}...")
try:
from main import SessionLocal
db_session = SessionLocal()
try:
processor = self.nvd_processor_class(db_session)
# Fetch single CVE data
result = await processor.fetch_single_cve(cve_id)
if result:
# Convert to file structure
await self._sync_single_cve_to_files(db_session, cve_id)
self.info(f"Successfully fetched data for {cve_id}")
else:
self.warning(f"Could not fetch data for {cve_id}")
finally:
db_session.close()
except Exception as e:
self.error(f"Error fetching data for {cve_id}: {e}")
async def _sync_database_to_files(self, db_session, year: int):
"""Sync database records to file structure for a specific year"""
try:
from main import CVE
# Get all CVEs for the year from database
year_pattern = f"CVE-{year}-%"
cves = db_session.query(CVE).filter(CVE.cve_id.like(year_pattern)).all()
for cve in cves:
await self._convert_cve_to_file(cve)
except Exception as e:
self.error(f"Error syncing database to files for year {year}: {e}")
async def _sync_single_cve_to_files(self, db_session, cve_id: str):
"""Sync a single CVE from database to file structure"""
try:
from main import CVE
cve = db_session.query(CVE).filter(CVE.cve_id == cve_id).first()
if cve:
await self._convert_cve_to_file(cve)
except Exception as e:
self.error(f"Error syncing {cve_id} to files: {e}")
async def _convert_cve_to_file(self, cve):
"""Convert a database CVE record to file structure"""
try:
# Create metadata structure
metadata = {
"cve_info": {
"cve_id": cve.cve_id,
"description": cve.description,
"cvss_score": float(cve.cvss_score) if cve.cvss_score else None,
"severity": cve.severity,
"published_date": cve.published_date.isoformat() if cve.published_date else None,
"modified_date": cve.modified_date.isoformat() if cve.modified_date else None,
"affected_products": cve.affected_products or [],
"reference_urls": cve.reference_urls or []
},
"poc_data": {
"poc_count": getattr(cve, 'poc_count', 0),
"poc_data": getattr(cve, 'poc_data', {}),
},
"processing": {
"data_source": getattr(cve, 'data_source', 'nvd_api'),
"bulk_processed": getattr(cve, 'bulk_processed', False),
"reference_sync_status": getattr(cve, 'reference_sync_status', 'pending')
},
"file_manifest": [],
"rule_generation": {},
"created_at": cve.created_at.isoformat() if cve.created_at else datetime.utcnow().isoformat(),
"updated_at": datetime.utcnow().isoformat()
}
# Save metadata
self.save_cve_metadata(cve.cve_id, metadata)
except Exception as e:
self.error(f"Error converting CVE {cve.cve_id} to file: {e}")
async def _process_single_cve(self, cve_id: str, methods: List[str], force: bool) -> bool:
"""Process a single CVE with specified methods"""
try:
# Load CVE metadata
metadata = self.load_cve_metadata(cve_id)
if not metadata:
self.error(f"No metadata found for {cve_id}")
return False
# Check if processing is needed
existing_rules = self.list_cve_rules(cve_id)
if existing_rules and not force:
self.info(f"Rules already exist for {cve_id}, skipping (use --force to regenerate)")
return True
success = True
# Process with each requested method
for method in methods:
if method == 'all':
# Generate with all available methods
await self._generate_template_rule(cve_id, metadata)
await self._generate_llm_rule(cve_id, metadata, 'openai')
await self._generate_llm_rule(cve_id, metadata, 'anthropic')
await self._generate_hybrid_rule(cve_id, metadata)
elif method == 'template':
await self._generate_template_rule(cve_id, metadata)
elif method == 'llm':
await self._generate_llm_rule(cve_id, metadata)
elif method == 'hybrid':
await self._generate_hybrid_rule(cve_id, metadata)
return success
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
return False
async def _generate_template_rule(self, cve_id: str, metadata: Dict) -> bool:
"""Generate template-based SIGMA rule"""
try:
from main import SessionLocal
db_session = SessionLocal()
try:
generator = self.sigma_generator_class(db_session)
# Create mock CVE object from metadata
class MockCVE:
def __init__(self, meta):
cve_info = meta.get('cve_info', {})
self.cve_id = cve_info.get('cve_id')
self.description = cve_info.get('description')
self.severity = cve_info.get('severity')
self.affected_products = cve_info.get('affected_products', [])
self.poc_data = meta.get('poc_data', {}).get('poc_data', {})
mock_cve = MockCVE(metadata)
# Generate rule using template method
rule_content = await generator._generate_template_based_rule(mock_cve, None, None)
if rule_content:
self.save_sigma_rule(cve_id, "rule_template.sigma", rule_content)
self.info(f"Generated template rule for {cve_id}")
return True
else:
self.warning(f"Failed to generate template rule for {cve_id}")
return False
finally:
db_session.close()
except Exception as e:
self.error(f"Error generating template rule for {cve_id}: {e}")
return False
async def _generate_llm_rule(self, cve_id: str, metadata: Dict, provider: str = 'openai') -> bool:
"""Generate LLM-based SIGMA rule"""
try:
from main import SessionLocal
db_session = SessionLocal()
try:
generator = self.sigma_generator_class(db_session, llm_provider=provider)
# Check if LLM is available
if not generator.llm_client.is_available():
self.warning(f"LLM provider {provider} not available for {cve_id}")
return False
# Create mock CVE object
class MockCVE:
def __init__(self, meta):
cve_info = meta.get('cve_info', {})
self.cve_id = cve_info.get('cve_id')
self.description = cve_info.get('description', '')
self.severity = cve_info.get('severity')
self.affected_products = cve_info.get('affected_products', [])
self.poc_data = meta.get('poc_data', {}).get('poc_data', {})
mock_cve = MockCVE(metadata)
# Get PoC data for enhanced generation
poc_data = metadata.get('poc_data', {}).get('poc_data', {})
best_poc = None
poc_content = ""
# Try to find best PoC content
if poc_data and 'nomi_sec' in poc_data:
nomi_pocs = poc_data['nomi_sec']
if nomi_pocs:
best_poc = nomi_pocs[0] # Use first PoC
poc_content = best_poc.get('content', '')
# Generate LLM-enhanced rule
rule_content = await generator.llm_client.generate_sigma_rule(
cve_id=cve_id,
poc_content=poc_content,
cve_description=mock_cve.description
)
if rule_content:
filename = f"rule_llm_{provider}.sigma"
self.save_sigma_rule(cve_id, filename, rule_content)
self.info(f"Generated {provider} LLM rule for {cve_id}")
return True
else:
self.warning(f"Failed to generate {provider} LLM rule for {cve_id}")
return False
finally:
db_session.close()
except Exception as e:
self.error(f"Error generating {provider} LLM rule for {cve_id}: {e}")
return False
async def _generate_hybrid_rule(self, cve_id: str, metadata: Dict) -> bool:
"""Generate hybrid SIGMA rule (template + LLM enhancement)"""
try:
# First generate template-based rule
template_success = await self._generate_template_rule(cve_id, metadata)
if not template_success:
return False
# Then enhance with LLM if available
llm_success = await self._generate_llm_rule(cve_id, metadata, 'openai')
if llm_success:
# Load both rules and create hybrid version
template_rule = self.load_sigma_rule(cve_id, "rule_template.sigma")
llm_rule = self.load_sigma_rule(cve_id, "rule_llm_openai.sigma")
if template_rule and llm_rule:
# Simple hybrid: use LLM rule but keep template metadata structure
# This is a simplified approach - could be made more sophisticated
hybrid_rule = llm_rule # For now, just use the LLM rule as hybrid
self.save_sigma_rule(cve_id, "rule_hybrid.sigma", hybrid_rule)
self.info(f"Generated hybrid rule for {cve_id}")
return True
# If LLM enhancement failed, template rule is still valid
return template_success
except Exception as e:
self.error(f"Error generating hybrid rule for {cve_id}: {e}")
return False

194
cli/commands/search_commands.py Normal file
View file

@ -0,0 +1,194 @@
"""
Search Commands
Commands for searching CVEs and SIGMA rules in the file-based system.
"""
import re
from typing import Dict, List, Optional, Tuple
from .base_command import BaseCommand
class SearchCommands(BaseCommand):
"""Commands for searching CVEs and rules"""
async def search_cves(self, pattern: str, year: Optional[int], severity: Optional[str],
has_poc: bool, has_rules: bool, limit: int):
"""Search for CVEs by pattern"""
self.info(f"Searching CVEs with pattern: '{pattern}'")
if year:
self.info(f"Filtering by year: {year}")
if severity:
self.info(f"Filtering by severity: {severity}")
if has_poc:
self.info("Only showing CVEs with PoC data")
if has_rules:
self.info("Only showing CVEs with generated rules")
# Get CVEs to search
cves_to_search = self.get_all_cves(year)
if not cves_to_search:
self.warning("No CVEs found to search")
return
matches = []
pattern_regex = re.compile(pattern, re.IGNORECASE)
for cve_id in cves_to_search:
try:
metadata = self.load_cve_metadata(cve_id)
if not metadata:
continue
cve_info = metadata.get('cve_info', {})
poc_data = metadata.get('poc_data', {})
# Apply filters
if severity and cve_info.get('severity', '').lower() != severity.lower():
continue
if has_poc and poc_data.get('poc_count', 0) == 0:
continue
if has_rules:
rules = self.list_cve_rules(cve_id)
if not rules:
continue
# Check pattern match
match_found = False
# Search in CVE ID
if pattern_regex.search(cve_id):
match_found = True
# Search in description
description = cve_info.get('description', '')
if description and pattern_regex.search(description):
match_found = True
# Search in affected products
products = cve_info.get('affected_products', [])
for product in products:
if pattern_regex.search(product):
match_found = True
break
if match_found:
rule_count = len(self.list_cve_rules(cve_id))
matches.append({
'cve_id': cve_id,
'severity': cve_info.get('severity', 'Unknown'),
'cvss_score': cve_info.get('cvss_score', 'N/A'),
'poc_count': poc_data.get('poc_count', 0),
'rule_count': rule_count,
'description': (description[:100] + '...') if len(description) > 100 else description
})
if len(matches) >= limit:
break
except Exception as e:
self.error(f"Error searching {cve_id}: {e}")
# Display results
if matches:
headers = ["CVE ID", "Severity", "CVSS", "PoCs", "Rules", "Description"]
rows = []
for match in matches:
rows.append([
match['cve_id'],
match['severity'],
str(match['cvss_score']),
str(match['poc_count']),
str(match['rule_count']),
match['description']
])
self.print_table(headers, rows, f"CVE Search Results ({len(matches)} matches)")
else:
self.warning("No matching CVEs found")
async def search_rules(self, pattern: str, rule_type: Optional[str], method: Optional[str], limit: int):
"""Search for SIGMA rules by pattern"""
self.info(f"Searching SIGMA rules with pattern: '{pattern}'")
if rule_type:
self.info(f"Filtering by rule type: {rule_type}")
if method:
self.info(f"Filtering by generation method: {method}")
matches = []
pattern_regex = re.compile(pattern, re.IGNORECASE)
# Search through all CVEs and their rules
all_cves = self.get_all_cves()
for cve_id in all_cves:
try:
rules = self.list_cve_rules(cve_id)
for rule_file in rules:
# Apply method filter
if method:
rule_method = rule_file.replace('rule_', '').replace('.sigma', '')
if method.lower() not in rule_method.lower():
continue
# Load and search rule content
rule_content = self.load_sigma_rule(cve_id, rule_file)
if not rule_content:
continue
# Apply rule type filter (search in logsource)
if rule_type:
if f'category: {rule_type}' not in rule_content.lower() and \
f'product: {rule_type}' not in rule_content.lower():
continue
# Check pattern match in rule content
if pattern_regex.search(rule_content):
# Extract rule title
title_match = re.search(r'^title:\s*(.+)$', rule_content, re.MULTILINE)
title = title_match.group(1) if title_match else 'Unknown'
# Extract detection type from logsource
logsource_match = re.search(r'category:\s*(\w+)', rule_content)
detection_type = logsource_match.group(1) if logsource_match else 'Unknown'
matches.append({
'cve_id': cve_id,
'rule_file': rule_file,
'title': title,
'detection_type': detection_type,
'method': rule_file.replace('rule_', '').replace('.sigma', '')
})
if len(matches) >= limit:
break
if len(matches) >= limit:
break
except Exception as e:
self.error(f"Error searching rules for {cve_id}: {e}")
# Display results
if matches:
headers = ["CVE ID", "Rule File", "Title", "Type", "Method"]
rows = []
for match in matches:
rows.append([
match['cve_id'],
match['rule_file'],
match['title'][:50] + '...' if len(match['title']) > 50 else match['title'],
match['detection_type'],
match['method']
])
self.print_table(headers, rows, f"SIGMA Rule Search Results ({len(matches)} matches)")
else:
self.warning("No matching rules found")

296
cli/commands/stats_commands.py Normal file
View file

@ -0,0 +1,296 @@
"""
Statistics Commands
Commands for generating statistics and reports about CVEs and SIGMA rules.
"""
import json
from datetime import datetime
from collections import defaultdict, Counter
from typing import Dict, List, Optional
from .base_command import BaseCommand
class StatsCommands(BaseCommand):
"""Commands for generating statistics"""
async def overview(self, year: Optional[int], output: Optional[str]):
"""Generate overview statistics"""
self.info("Generating overview statistics...")
# Collect statistics
stats = self._collect_overview_stats(year)
# Display overview
self._display_overview_stats(stats, year)
# Save to file if requested
if output:
try:
with open(output, 'w') as f:
json.dump(stats, f, indent=2, default=str)
self.success(f"Statistics saved to {output}")
except Exception as e:
self.error(f"Failed to save statistics: {e}")
async def poc_stats(self, year: Optional[int]):
"""Generate PoC coverage statistics"""
self.info("Generating PoC coverage statistics...")
cves = self.get_all_cves(year)
if not cves:
self.warning("No CVEs found")
return
# Collect PoC statistics
total_cves = len(cves)
cves_with_pocs = 0
poc_sources = Counter()
quality_distribution = Counter()
severity_poc_breakdown = defaultdict(lambda: {'total': 0, 'with_poc': 0})
for cve_id in cves:
try:
metadata = self.load_cve_metadata(cve_id)
if not metadata:
continue
cve_info = metadata.get('cve_info', {})
poc_data = metadata.get('poc_data', {})
severity = cve_info.get('severity', 'Unknown')
severity_poc_breakdown[severity]['total'] += 1
poc_count = poc_data.get('poc_count', 0)
if poc_count > 0:
cves_with_pocs += 1
severity_poc_breakdown[severity]['with_poc'] += 1
# Count PoC sources
if 'poc_data' in poc_data:
poc_info = poc_data['poc_data']
if 'nomi_sec' in poc_info and poc_info['nomi_sec']:
poc_sources['nomi_sec'] += len(poc_info['nomi_sec'])
if 'github' in poc_info and poc_info['github']:
poc_sources['github'] += len(poc_info['github'])
if 'exploitdb' in poc_info and poc_info['exploitdb']:
poc_sources['exploitdb'] += len(poc_info['exploitdb'])
# Quality assessment based on PoC count
if poc_count >= 5:
quality_distribution['excellent'] += 1
elif poc_count >= 3:
quality_distribution['good'] += 1
elif poc_count >= 1:
quality_distribution['fair'] += 1
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
# Display PoC statistics
coverage_percent = (cves_with_pocs / total_cves * 100) if total_cves > 0 else 0
title = f"PoC Coverage Statistics"
if year:
title += f" for {year}"
self.info(f"\n{title}")
self.info("=" * len(title))
self.info(f"Total CVEs: {total_cves}")
self.info(f"CVEs with PoCs: {cves_with_pocs}")
self.info(f"Coverage: {coverage_percent:.1f}%")
if poc_sources:
self.info(f"\nPoC Sources:")
for source, count in poc_sources.most_common():
self.info(f" {source}: {count}")
if quality_distribution:
self.info(f"\nQuality Distribution:")
for quality, count in quality_distribution.most_common():
self.info(f" {quality}: {count}")
# Severity breakdown table
if severity_poc_breakdown:
headers = ["Severity", "Total CVEs", "With PoCs", "Coverage %"]
rows = []
for severity, data in sorted(severity_poc_breakdown.items()):
coverage = (data['with_poc'] / data['total'] * 100) if data['total'] > 0 else 0
rows.append([
severity,
str(data['total']),
str(data['with_poc']),
f"{coverage:.1f}%"
])
self.print_table(headers, rows, "PoC Coverage by Severity")
async def rule_stats(self, year: Optional[int], method: Optional[str]):
"""Generate rule generation statistics"""
self.info("Generating rule generation statistics...")
cves = self.get_all_cves(year)
if not cves:
self.warning("No CVEs found")
return
# Collect rule statistics
total_cves = len(cves)
cves_with_rules = 0
method_counts = Counter()
rules_per_cve = []
for cve_id in cves:
try:
rules = self.list_cve_rules(cve_id)
if method:
# Filter rules by method
rules = [r for r in rules if method.lower() in r.lower()]
if rules:
cves_with_rules += 1
rules_per_cve.append(len(rules))
for rule_file in rules:
rule_method = rule_file.replace('rule_', '').replace('.sigma', '')
method_counts[rule_method] += 1
except Exception as e:
self.error(f"Error processing {cve_id}: {e}")
# Calculate statistics
rule_coverage = (cves_with_rules / total_cves * 100) if total_cves > 0 else 0
avg_rules_per_cve = sum(rules_per_cve) / len(rules_per_cve) if rules_per_cve else 0
total_rules = sum(method_counts.values())
# Display rule statistics
title = f"Rule Generation Statistics"
if year:
title += f" for {year}"
if method:
title += f" (method: {method})"
self.info(f"\n{title}")
self.info("=" * len(title))
self.info(f"Total CVEs: {total_cves}")
self.info(f"CVEs with rules: {cves_with_rules}")
self.info(f"Rule coverage: {rule_coverage:.1f}%")
self.info(f"Total rules: {total_rules}")
self.info(f"Average rules per CVE: {avg_rules_per_cve:.1f}")
if method_counts:
headers = ["Generation Method", "Rule Count", "% of Total"]
rows = []
for gen_method, count in method_counts.most_common():
percentage = (count / total_rules * 100) if total_rules > 0 else 0
rows.append([
gen_method,
str(count),
f"{percentage:.1f}%"
])
self.print_table(headers, rows, "Rules by Generation Method")
def _collect_overview_stats(self, year: Optional[int]) -> Dict:
"""Collect comprehensive overview statistics"""
cves = self.get_all_cves(year)
stats = {
'generated_at': datetime.utcnow().isoformat(),
'filter_year': year,
'total_cves': len(cves),
'severity_breakdown': Counter(),
'yearly_breakdown': Counter(),
'poc_stats': {
'cves_with_pocs': 0,
'total_poc_count': 0
},
'rule_stats': {
'cves_with_rules': 0,
'total_rule_count': 0,
'generation_methods': Counter()
}
}
for cve_id in cves:
try:
metadata = self.load_cve_metadata(cve_id)
if not metadata:
continue
cve_info = metadata.get('cve_info', {})
poc_data = metadata.get('poc_data', {})
# Year breakdown
cve_year = cve_id.split('-')[1]
stats['yearly_breakdown'][cve_year] += 1
# Severity breakdown
severity = cve_info.get('severity', 'Unknown')
stats['severity_breakdown'][severity] += 1
# PoC statistics
poc_count = poc_data.get('poc_count', 0)
if poc_count > 0:
stats['poc_stats']['cves_with_pocs'] += 1
stats['poc_stats']['total_poc_count'] += poc_count
# Rule statistics
rules = self.list_cve_rules(cve_id)
if rules:
stats['rule_stats']['cves_with_rules'] += 1
stats['rule_stats']['total_rule_count'] += len(rules)
for rule_file in rules:
method = rule_file.replace('rule_', '').replace('.sigma', '')
stats['rule_stats']['generation_methods'][method] += 1
except Exception as e:
self.error(f"Error collecting stats for {cve_id}: {e}")
return stats
def _display_overview_stats(self, stats: Dict, year: Optional[int]):
"""Display overview statistics"""
title = f"CVE-SIGMA Overview Statistics"
if year:
title += f" for {year}"
self.info(f"\n{title}")
self.info("=" * len(title))
self.info(f"Generated at: {stats['generated_at']}")
self.info(f"Total CVEs: {stats['total_cves']}")
# PoC coverage
poc_stats = stats['poc_stats']
poc_coverage = (poc_stats['cves_with_pocs'] / stats['total_cves'] * 100) if stats['total_cves'] > 0 else 0
self.info(f"PoC coverage: {poc_coverage:.1f}% ({poc_stats['cves_with_pocs']} CVEs)")
# Rule coverage
rule_stats = stats['rule_stats']
rule_coverage = (rule_stats['cves_with_rules'] / stats['total_cves'] * 100) if stats['total_cves'] > 0 else 0
self.info(f"Rule coverage: {rule_coverage:.1f}% ({rule_stats['cves_with_rules']} CVEs)")
self.info(f"Total rules: {rule_stats['total_rule_count']}")
# Severity breakdown
if stats['severity_breakdown']:
headers = ["Severity", "Count", "Percentage"]
rows = []
for severity, count in stats['severity_breakdown'].most_common():
percentage = (count / stats['total_cves'] * 100) if stats['total_cves'] > 0 else 0
rows.append([severity, str(count), f"{percentage:.1f}%"])
self.print_table(headers, rows, "CVEs by Severity")
# Yearly breakdown (if not filtered by year)
if not year and stats['yearly_breakdown']:
headers = ["Year", "CVE Count"]
rows = []
for cve_year, count in sorted(stats['yearly_breakdown'].items()):
rows.append([cve_year, str(count)])
self.print_table(headers, rows, "CVEs by Year")

16
cli/requirements.txt Normal file
View file

@ -0,0 +1,16 @@
# CLI Requirements for SIGMA CLI Tool
# Core dependencies
click>=8.0.0
pyyaml>=6.0
asyncio-throttle>=1.0.0
# Database support (for migration)
sqlalchemy>=1.4.0
psycopg2-binary>=2.9.0
# Optional: Enhanced formatting
colorama>=0.4.0
tabulate>=0.9.0
# Import existing backend requirements
-r ../backend/requirements.txt

313
cli/sigma_cli.py Executable file
View file

@ -0,0 +1,313 @@
#!/usr/bin/env python3
"""
SIGMA CLI - CVE-SIGMA Auto Generator Command Line Interface
A CLI tool for processing CVEs and generating SIGMA detection rules
in a file-based directory structure.
Author: CVE-SIGMA Auto Generator
"""
import click
import asyncio
import os
import sys
import json
from typing import Optional, List
from pathlib import Path
from datetime import datetime
# Add parent directories to path for imports
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', 'backend'))
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', 'core'))
# Import CLI command modules
from commands.process_commands import ProcessCommands
from commands.generate_commands import GenerateCommands
from commands.search_commands import SearchCommands
from commands.stats_commands import StatsCommands
from commands.export_commands import ExportCommands
from commands.migrate_commands import MigrateCommands
# Global CLI configuration
class Config:
def __init__(self):
self.base_dir = Path.cwd()
self.cves_dir = self.base_dir / "cves"
self.templates_dir = self.base_dir / "backend" / "templates"
self.reports_dir = self.base_dir / "reports"
self.config_file = Path.home() / ".sigma-cli" / "config.yaml"
# Ensure directories exist
self.cves_dir.mkdir(exist_ok=True)
self.reports_dir.mkdir(exist_ok=True)
(Path.home() / ".sigma-cli").mkdir(exist_ok=True)
pass_config = click.make_pass_decorator(Config, ensure=True)
@click.group()
@click.option('--verbose', '-v', is_flag=True, help='Enable verbose output')
@click.option('--config', '-c', type=click.Path(), help='Path to configuration file')
@click.pass_context
def cli(ctx, verbose, config):
"""
SIGMA CLI - CVE-SIGMA Auto Generator
A command line tool for processing CVEs and generating SIGMA detection rules.
Rules are stored in a file-based directory structure organized by year and CVE-ID.
"""
ctx.ensure_object(Config)
if verbose:
click.echo("Verbose mode enabled")
if config:
ctx.obj.config_file = Path(config)
# Initialize logging
import logging
level = logging.DEBUG if verbose else logging.INFO
logging.basicConfig(level=level, format='%(asctime)s - %(levelname)s - %(message)s')
# Process commands
@cli.group()
@pass_config
def process(config):
"""Process CVEs and generate SIGMA rules"""
pass
@process.command('year')
@click.argument('year', type=int)
@click.option('--method', '-m', multiple=True, type=click.Choice(['template', 'llm', 'hybrid', 'all']),
default=['template'], help='Rule generation method(s)')
@click.option('--force', '-f', is_flag=True, help='Force regeneration of existing rules')
@click.option('--batch-size', '-b', default=50, help='Batch size for processing')
@pass_config
def process_year(config, year, method, force, batch_size):
"""Process all CVEs for a specific year"""
cmd = ProcessCommands(config)
asyncio.run(cmd.process_year(year, method, force, batch_size))
@process.command('cve')
@click.argument('cve_id')
@click.option('--method', '-m', multiple=True, type=click.Choice(['template', 'llm', 'hybrid', 'all']),
default=['template'], help='Rule generation method(s)')
@click.option('--force', '-f', is_flag=True, help='Force regeneration of existing rules')
@pass_config
def process_cve(config, cve_id, method, force):
"""Process a specific CVE"""
cmd = ProcessCommands(config)
asyncio.run(cmd.process_cve(cve_id, method, force))
@process.command('bulk')
@click.option('--start-year', default=2022, help='Starting year for bulk processing')
@click.option('--end-year', default=datetime.now().year, help='Ending year for bulk processing')
@click.option('--method', '-m', multiple=True, type=click.Choice(['template', 'llm', 'hybrid', 'all']),
default=['template'], help='Rule generation method(s)')
@click.option('--batch-size', '-b', default=50, help='Batch size for processing')
@pass_config
def process_bulk(config, start_year, end_year, method, batch_size):
"""Bulk process all CVEs across multiple years"""
cmd = ProcessCommands(config)
asyncio.run(cmd.process_bulk(start_year, end_year, method, batch_size))
@process.command('incremental')
@click.option('--days', '-d', default=7, help='Process CVEs modified in the last N days')
@click.option('--method', '-m', multiple=True, type=click.Choice(['template', 'llm', 'hybrid', 'all']),
default=['template'], help='Rule generation method(s)')
@pass_config
def process_incremental(config, days, method):
"""Process recently modified CVEs"""
cmd = ProcessCommands(config)
asyncio.run(cmd.process_incremental(days, method))
# Generate commands
@cli.group()
@pass_config
def generate(config):
"""Generate SIGMA rules for existing CVEs"""
pass
@generate.command('cve')
@click.argument('cve_id')
@click.option('--method', '-m', type=click.Choice(['template', 'llm', 'hybrid', 'all']),
default='template', help='Rule generation method')
@click.option('--provider', '-p', type=click.Choice(['openai', 'anthropic', 'ollama']),
help='LLM provider for LLM-based generation')
@click.option('--model', help='Specific model to use')
@click.option('--force', '-f', is_flag=True, help='Force regeneration of existing rules')
@pass_config
def generate_cve(config, cve_id, method, provider, model, force):
"""Generate SIGMA rules for a specific CVE"""
cmd = GenerateCommands(config)
asyncio.run(cmd.generate_cve(cve_id, method, provider, model, force))
@generate.command('regenerate')
@click.option('--year', type=int, help='Regenerate rules for specific year')
@click.option('--method', '-m', type=click.Choice(['template', 'llm', 'hybrid', 'all']),
default='all', help='Rule generation method')
@click.option('--filter-quality', type=click.Choice(['excellent', 'good', 'fair']),
help='Only regenerate rules for CVEs with specific PoC quality')
@pass_config
def generate_regenerate(config, year, method, filter_quality):
"""Regenerate existing SIGMA rules"""
cmd = GenerateCommands(config)
asyncio.run(cmd.regenerate_rules(year, method, filter_quality))
# Search commands
@cli.group()
@pass_config
def search(config):
"""Search CVEs and SIGMA rules"""
pass
@search.command('cve')
@click.argument('pattern')
@click.option('--year', type=int, help='Search within specific year')
@click.option('--severity', type=click.Choice(['low', 'medium', 'high', 'critical']), help='Filter by severity')
@click.option('--has-poc', is_flag=True, help='Only show CVEs with PoC data')
@click.option('--has-rules', is_flag=True, help='Only show CVEs with generated rules')
@click.option('--limit', '-l', default=20, help='Limit number of results')
@pass_config
def search_cve(config, pattern, year, severity, has_poc, has_rules, limit):
"""Search for CVEs by pattern"""
cmd = SearchCommands(config)
asyncio.run(cmd.search_cves(pattern, year, severity, has_poc, has_rules, limit))
@search.command('rules')
@click.argument('pattern')
@click.option('--rule-type', help='Filter by rule type (e.g., process, network, file)')
@click.option('--method', type=click.Choice(['template', 'llm', 'hybrid']), help='Filter by generation method')
@click.option('--limit', '-l', default=20, help='Limit number of results')
@pass_config
def search_rules(config, pattern, rule_type, method, limit):
"""Search for SIGMA rules by pattern"""
cmd = SearchCommands(config)
asyncio.run(cmd.search_rules(pattern, rule_type, method, limit))
# Statistics commands
@cli.group()
@pass_config
def stats(config):
"""Generate statistics and reports"""
pass
@stats.command('overview')
@click.option('--year', type=int, help='Statistics for specific year')
@click.option('--output', '-o', type=click.Path(), help='Save output to file')
@pass_config
def stats_overview(config, year, output):
"""Generate overview statistics"""
cmd = StatsCommands(config)
asyncio.run(cmd.overview(year, output))
@stats.command('poc')
@click.option('--year', type=int, help='PoC statistics for specific year')
@pass_config
def stats_poc(config, year):
"""Generate PoC coverage statistics"""
cmd = StatsCommands(config)
asyncio.run(cmd.poc_stats(year))
@stats.command('rules')
@click.option('--year', type=int, help='Rule statistics for specific year')
@click.option('--method', type=click.Choice(['template', 'llm', 'hybrid']), help='Filter by generation method')
@pass_config
def stats_rules(config, year, method):
"""Generate rule generation statistics"""
cmd = StatsCommands(config)
asyncio.run(cmd.rule_stats(year, method))
# Export commands
@cli.group()
@pass_config
def export(config):
"""Export rules in various formats"""
pass
@export.command('sigma')
@click.argument('output_dir', type=click.Path())
@click.option('--year', type=int, help='Export rules for specific year')
@click.option('--format', type=click.Choice(['yaml', 'json']), default='yaml', help='Output format')
@click.option('--method', type=click.Choice(['template', 'llm', 'hybrid']), help='Filter by generation method')
@pass_config
def export_sigma(config, output_dir, year, format, method):
"""Export SIGMA rules to a directory"""
cmd = ExportCommands(config)
asyncio.run(cmd.export_sigma_rules(output_dir, year, format, method))
@export.command('metadata')
@click.argument('output_file', type=click.Path())
@click.option('--year', type=int, help='Export metadata for specific year')
@click.option('--format', type=click.Choice(['json', 'csv']), default='json', help='Output format')
@pass_config
def export_metadata(config, output_file, year, format):
"""Export CVE metadata"""
cmd = ExportCommands(config)
asyncio.run(cmd.export_metadata(output_file, year, format))
# Migration commands (for transitioning from web app)
@cli.group()
@pass_config
def migrate(config):
"""Migration utilities for transitioning from web application"""
pass
@migrate.command('from-database')
@click.option('--database-url', help='Database URL to migrate from')
@click.option('--batch-size', '-b', default=100, help='Batch size for migration')
@click.option('--dry-run', is_flag=True, help='Show what would be migrated without doing it')
@pass_config
def migrate_from_database(config, database_url, batch_size, dry_run):
"""Migrate data from existing database to file structure"""
cmd = MigrateCommands(config)
asyncio.run(cmd.migrate_from_database(database_url, batch_size, dry_run))
@migrate.command('validate')
@click.option('--year', type=int, help='Validate specific year')
@pass_config
def migrate_validate(config, year):
"""Validate migrated data integrity"""
cmd = MigrateCommands(config)
asyncio.run(cmd.validate_migration(year))
# Utility commands
@cli.command()
@pass_config
def version(config):
"""Show version information"""
click.echo("SIGMA CLI v1.0.0")
click.echo("CVE-SIGMA Auto Generator - File-based Edition")
@cli.command()
@pass_config
def config_init(config):
"""Initialize CLI configuration"""
config_data = {
'base_dir': str(config.base_dir),
'api_keys': {
'nvd_api_key': '',
'github_token': '',
'openai_api_key': '',
'anthropic_api_key': ''
},
'llm_settings': {
'default_provider': 'ollama',
'default_model': 'llama3.2',
'ollama_base_url': 'http://localhost:11434'
},
'processing': {
'default_batch_size': 50,
'default_methods': ['template']
}
}
config.config_file.parent.mkdir(exist_ok=True)
with open(config.config_file, 'w') as f:
import yaml
yaml.dump(config_data, f, default_flow_style=False)
click.echo(f"Configuration initialized at {config.config_file}")
click.echo("Please edit the configuration file to add your API keys and preferences.")
if __name__ == '__main__':
cli()