This project is a proof of concept to see if we can have a program create SIGMA rules based on information in new CVEs that are published. - Extracts CVE records from the National Vulnerability Database - Extracts exploit data from Github repoositories, ExploitDB, and the CISA Known Exploited Vulnerabilities catalog - Extracts text data from reference links found on both exploit records + CVE records - Sends exploit data + reference data to LLM to create SIGMA rules based on the content This data is not meant for production use and is considered experimental. Inspired from: https://blogs.night-wolf.io/sigmagen-ai-powered-attck-mapped-threat-detection-with-sigma-rules
Find a file
2025-07-08 08:34:28 -05:00
backend init commit. main app + frontend/backend 2025-07-08 08:34:28 -05:00
frontend init commit. main app + frontend/backend 2025-07-08 08:34:28 -05:00
.env.example init commit. main app + frontend/backend 2025-07-08 08:34:28 -05:00
docker-compose.yml init commit. main app + frontend/backend 2025-07-08 08:34:28 -05:00
init.sql init commit. main app + frontend/backend 2025-07-08 08:34:28 -05:00
README.md init commit. main app + frontend/backend 2025-07-08 08:34:28 -05:00

CVE-SIGMA Auto Generator

An automated platform that fetches CVE data and automatically generates SIGMA rules for threat detection.

Features

  • Automated CVE Fetching: Regularly polls the NVD (National Vulnerability Database) for new CVEs
  • Intelligent SIGMA Rule Generation: Automatically creates SIGMA rules based on CVE characteristics
  • Modern Web Interface: React-based UI for browsing CVEs and managing SIGMA rules
  • Real-time Updates: Background tasks keep CVE data current
  • Rule Templates: Configurable templates for different types of vulnerabilities
  • Docker Compose: Easy deployment and orchestration

Architecture

  • Backend: FastAPI with SQLAlchemy ORM
  • Frontend: React with Tailwind CSS
  • Database: PostgreSQL
  • Cache: Redis (optional)
  • Containerization: Docker & Docker Compose

Quick Start

Prerequisites

  • Docker and Docker Compose
  • (Optional) NVD API Key for increased rate limits

Setup

  1. Clone the repository:
git clone <repository-url>
cd cve-sigma-generator
  1. (Optional) Set your NVD API Key:
export NVD_API_KEY="your-api-key-here"
  1. Start the application:
docker-compose up -d
  1. Wait for services to initialize (about 30-60 seconds)

  2. Access the application:

First Run

The application will automatically:

  1. Initialize the database with rule templates
  2. Start fetching recent CVEs from NVD
  3. Generate SIGMA rules for each CVE
  4. Continue polling for new CVEs every hour

Usage

Web Interface

The web interface provides three main sections:

  1. Dashboard: Overview statistics and recent CVEs
  2. CVEs: Complete list of all fetched CVEs with details
  3. SIGMA Rules: Generated detection rules organized by CVE

Manual CVE Fetch

You can trigger a manual CVE fetch using the "Fetch New CVEs" button in the dashboard or via API:

curl -X POST http://localhost:8000/api/fetch-cves

API Endpoints

  • GET /api/cves - List all CVEs
  • GET /api/cves/{cve_id} - Get specific CVE details
  • GET /api/sigma-rules - List all SIGMA rules
  • GET /api/sigma-rules/{cve_id} - Get SIGMA rules for specific CVE
  • POST /api/fetch-cves - Manually trigger CVE fetch
  • GET /api/stats - Get application statistics

Configuration

Environment Variables

  • DATABASE_URL: PostgreSQL connection string
  • NVD_API_KEY: Optional NVD API key for higher rate limits
  • REACT_APP_API_URL: Backend API URL for frontend

Rule Templates

The application includes pre-configured rule templates for:

  • Windows Process Execution
  • Network Connections
  • File Modifications

Additional templates can be added to the database via the rule_templates table.

SIGMA Rule Generation Logic

The rule generation process:

  1. CVE Analysis: Analyzes CVE description and affected products
  2. Template Selection: Chooses appropriate SIGMA rule template
  3. Indicator Extraction: Extracts suspicious processes, ports, or file patterns
  4. Rule Population: Fills template with CVE-specific data
  5. Confidence Scoring: Assigns confidence level based on CVSS score

Template Matching

  • Process Execution: Keywords like "process", "execution", "command"
  • Network Connection: Keywords like "network", "remote", "connection"
  • File Modification: Keywords like "file", "write", "filesystem"

Development

Local Development

  1. Start the database:
docker-compose up -d db redis
  1. Run the backend:
cd backend
pip install -r requirements.txt
uvicorn main:app --reload
  1. Run the frontend:
cd frontend
npm install
npm start

Database Migration

The application automatically creates tables on startup. For manual schema changes:

# Connect to database
docker-compose exec db psql -U cve_user -d cve_sigma_db

# Run custom SQL
\i /path/to/migration.sql

SIGMA Rule Quality

Generated rules are marked as "experimental" and should be:

  • Reviewed by security analysts
  • Tested in a lab environment
  • Tuned to reduce false positives
  • Validated against real attack scenarios

Monitoring

Logs

View application logs:

# All services
docker-compose logs -f

# Specific service
docker-compose logs -f backend

Health Checks

The application includes health checks for database connectivity. Monitor with:

docker-compose ps

Troubleshooting

Common Issues

  1. CVE Fetch Failing: Check NVD API rate limits or network connectivity
  2. Database Connection Error: Ensure PostgreSQL is running and accessible
  3. Frontend Not Loading: Verify backend is running and CORS is configured
  4. Rule Generation Issues: Check CVE description quality and template matching

Rate Limits

Without an API key, NVD limits requests to 5 per 30 seconds. With an API key, the limit increases to 50 per 30 seconds.

Security Considerations

  • API Keys: Store NVD API keys securely using environment variables
  • Database Access: Use strong passwords and restrict database access
  • Network Security: Deploy behind a reverse proxy in production
  • Rule Validation: Always validate generated SIGMA rules before deployment

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make changes and add tests
  4. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For issues and questions:

  1. Check the troubleshooting section
  2. Review application logs
  3. Open an issue on GitHub

Roadmap

Planned features:

  • Custom rule template editor
  • MITRE ATT&CK mapping
  • Rule effectiveness scoring
  • Export to SIEM platforms
  • Advanced threat intelligence integration
  • Machine learning-based rule optimization