bpmcdevitt/auto_sigma_rule_generator
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
auto_sigma_rule_generator/cli/README.md
bpmcdevitt e579c91b5e MAJOR: Transform web application to professional CLI-based SIGMA rule generator 
🎉 **Architecture Transformation (v2.0)**
- Complete migration from web app to professional CLI tool
- File-based SIGMA rule management system
- Git-friendly directory structure organized by year/CVE-ID
- Multiple rule variants per CVE (template, LLM, hybrid)

 **New CLI System**
- Professional command-line interface with Click framework
- 8 command groups: process, generate, search, stats, export, migrate
- Modular command architecture for maintainability
- Comprehensive help system and configuration management

📁 **File-Based Storage Architecture**
- Individual CVE directories: cves/YEAR/CVE-ID/
- Multiple SIGMA rule variants per CVE
- JSON metadata with processing history and PoC data
- Native YAML files perfect for version control

🚀 **Core CLI Commands**
- process: CVE processing and bulk operations
- generate: SIGMA rule generation with multiple methods
- search: Advanced CVE and rule searching with filters
- stats: Comprehensive statistics and analytics
- export: Multiple output formats for different workflows
- migrate: Database-to-file migration tools

🔧 **Migration Support**
- Complete migration utilities from web database
- Data validation and integrity checking
- Backward compatibility with existing processors
- Legacy web interface maintained for transition

📊 **Enhanced Features**
- Advanced search with complex filtering (severity, PoC presence, etc.)
- Multi-format exports (YAML, JSON, CSV)
- Comprehensive statistics and coverage reports
- File-based rule versioning and management

🎯 **Production Benefits**
- No database dependency - runs anywhere
- Perfect for cybersecurity teams using git workflows
- Direct integration with SIGMA ecosystems
- Portable architecture for CI/CD pipelines
- Multiple rule variants for different detection scenarios

📝 **Documentation Updates**
- Complete README rewrite for CLI-first approach
- Updated CLAUDE.md with new architecture details
- Detailed CLI documentation with examples
- Migration guides and troubleshooting

**Perfect for security teams wanting production-ready SIGMA rules with version control\! 🛡️**

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-21 13:11:03 -05:00

5.6 KiB
Raw Permalink Blame History

SIGMA CLI - CVE-SIGMA Auto Generator

A command-line interface for processing CVEs and generating SIGMA detection rules in a file-based directory structure.

Quick Start

# Make CLI executable
chmod +x cli/sigma_cli.py

# Initialize configuration
./cli/sigma_cli.py config-init

# Migrate data from existing database (if applicable)
./cli/sigma_cli.py migrate from-database

# Process CVEs for a specific year
./cli/sigma_cli.py process year 2024

# Generate rules for a specific CVE
./cli/sigma_cli.py generate cve CVE-2024-0001

# Search CVEs
./cli/sigma_cli.py search cve "buffer overflow"

# View statistics
./cli/sigma_cli.py stats overview

# Export rules
./cli/sigma_cli.py export sigma ./output/rules

Directory Structure

auto_sigma_rule_generator/
├── cves/
│   ├── 2024/
│   │   ├── CVE-2024-0001/
│   │   │   ├── metadata.json
│   │   │   ├── rule_template.sigma
│   │   │   ├── rule_llm_openai.sigma
│   │   │   └── poc_analysis.json
│   │   └── CVE-2024-0002/...
│   └── 2023/...
├── cli/
│   ├── sigma_cli.py (main CLI)
│   ├── commands/ (command modules)
│   └── config/ (CLI configuration)
└── reports/ (generated reports)

Available Commands

Process Commands

  • process year <year> - Process all CVEs for a year
  • process cve <cve-id> - Process specific CVE
  • process bulk - Bulk process multiple years
  • process incremental - Process recent changes

Generate Commands

  • generate cve <cve-id> - Generate rules for CVE
  • generate regenerate - Regenerate existing rules

Search Commands

  • search cve <pattern> - Search CVEs
  • search rules <pattern> - Search SIGMA rules

Statistics Commands

  • stats overview - General statistics
  • stats poc - PoC coverage statistics
  • stats rules - Rule generation statistics

Export Commands

  • export sigma <dir> - Export SIGMA rules
  • export metadata <file> - Export CVE metadata

Migration Commands

  • migrate from-database - Migrate from web app database
  • migrate validate - Validate migrated data

Configuration

Edit ~/.sigma-cli/config.yaml to configure API keys and settings:

api_keys:
  nvd_api_key: "your-nvd-key"
  github_token: "your-github-token"
  openai_api_key: "your-openai-key"
  anthropic_api_key: "your-anthropic-key"

llm_settings:
  default_provider: "ollama"
  default_model: "llama3.2"
  ollama_base_url: "http://localhost:11434"

processing:
  default_batch_size: 50
  default_methods: ["template"]

Installation

# Install dependencies
pip install -r cli/requirements.txt

# Or if you're in a virtual environment
python -m venv venv
source venv/bin/activate  # On Windows: venv\\Scripts\\activate
pip install -r cli/requirements.txt

Examples

Migration from Web Application

# Migrate existing data
./cli/sigma_cli.py migrate from-database --database-url "postgresql://user:pass@localhost:5432/db"

# Validate migration
./cli/sigma_cli.py migrate validate

# Check migration statistics
./cli/sigma_cli.py stats overview

Processing CVEs

# Process a specific year with multiple methods
./cli/sigma_cli.py process year 2024 --method template --method llm

# Process a specific CVE with force regeneration
./cli/sigma_cli.py process cve CVE-2024-12345 --force

# Bulk process with specific batch size
./cli/sigma_cli.py process bulk --start-year 2020 --end-year 2024 --batch-size 100

Searching and Analysis

# Search for CVEs with specific patterns
./cli/sigma_cli.py search cve "remote code execution" --severity critical --has-poc

# Search SIGMA rules
./cli/sigma_cli.py search rules "powershell" --method llm

# Generate comprehensive statistics
./cli/sigma_cli.py stats overview --year 2024 --output ./reports/2024-stats.json

Exporting Data

# Export all SIGMA rules as YAML
./cli/sigma_cli.py export sigma ./output/sigma-rules --format yaml

# Export CVE metadata as CSV
./cli/sigma_cli.py export metadata ./reports/cve-data.csv --format csv

# Export specific year and method
./cli/sigma_cli.py export sigma ./output/2024-llm-rules --year 2024 --method llm

File Formats

metadata.json Structure

{
  "cve_info": {
    "cve_id": "CVE-2024-0001",
    "description": "...",
    "cvss_score": 9.8,
    "severity": "critical"
  },
  "poc_data": {
    "poc_count": 3,
    "poc_data": {...}
  },
  "rule_generation": {
    "template": {"generated_at": "..."},
    "llm_openai": {"generated_at": "..."}
  }
}

SIGMA Rule Files

  • rule_template.sigma - Template-based generation
  • rule_llm_openai.sigma - OpenAI LLM generation
  • rule_llm_anthropic.sigma - Anthropic LLM generation
  • rule_hybrid.sigma - Hybrid generation method

Development

The CLI is built using Click and follows a modular command structure:

  • sigma_cli.py - Main CLI entry point
  • commands/base_command.py - Base functionality
  • commands/process_commands.py - CVE processing
  • commands/migrate_commands.py - Database migration
  • commands/search_commands.py - Search functionality
  • commands/stats_commands.py - Statistics generation
  • commands/export_commands.py - Data export

Troubleshooting

Common Issues

  1. Import errors: Make sure you're running from the project root
  2. Permission errors: Ensure directories are writable
  3. Database connection: Check DATABASE_URL environment variable
  4. API limits: Configure API keys for higher rate limits

Debug Mode

# Enable verbose logging
./cli/sigma_cli.py --verbose <command>

# Check configuration
./cli/sigma_cli.py config-init