CVE-SIGMA Auto Generator

An automated platform that fetches CVE data and automatically generates SIGMA rules for threat detection.

Features

• Automated CVE Fetching: Regularly polls the NVD (National Vulnerability Database) for CVEs from July 2025
• Intelligent SIGMA Rule Generation: Automatically creates SIGMA rules based on CVE characteristics
• Modern Web Interface: React-based UI for browsing CVEs and managing SIGMA rules
• Real-time Updates: Background tasks keep CVE data current with current 2025 vulnerabilities
• Rule Templates: Configurable templates for different types of vulnerabilities
• API Testing: Built-in NVD API connectivity testing
• Enhanced Error Handling: Robust fallback mechanisms and detailed logging
• Docker Compose: Easy deployment and orchestration

Architecture

• Backend: FastAPI with SQLAlchemy ORM
• Frontend: React with Tailwind CSS
• Database: PostgreSQL
• Cache: Redis (optional)
• Containerization: Docker & Docker Compose

Quick Start

Prerequisites

• Docker and Docker Compose
• (Optional) NVD API Key for increased rate limits

Setup

1. Clone the repository:

git clone <repository-url>
cd cve-sigma-generator

2. Quick Start (Recommended):

chmod +x start.sh
./start.sh

3. Manual Setup:

# Copy environment file
cp .env.example .env

# (Optional) Edit .env and add your NVD API key
nano .env

# Start the application
docker-compose up -d --build

4. Wait for services to initialize (about 30-60 seconds)

5. Access the application:

   • Frontend: http://localhost:3000
   • Backend API: http://localhost:8000
   • API Documentation: http://localhost:8000/docs

First Run

The application will automatically:

1. Initialize the database with rule templates
2. Start fetching recent CVEs from NVD
3. Generate SIGMA rules for each CVE
4. Continue polling for new CVEs every hour

Usage

Web Interface

The web interface provides three main sections:

1. Dashboard: Overview statistics and recent CVEs
2. CVEs: Complete list of all fetched CVEs with details
3. SIGMA Rules: Generated detection rules organized by CVE

Manual CVE Fetch

You can trigger a manual CVE fetch using the "Fetch New CVEs" button in the dashboard or via API:

curl -X POST http://localhost:8000/api/fetch-cves

API Endpoints

• GET /api/cves - List all CVEs
• GET /api/cves/{cve_id} - Get specific CVE details
• GET /api/sigma-rules - List all SIGMA rules
• GET /api/sigma-rules/{cve_id} - Get SIGMA rules for specific CVE
• POST /api/fetch-cves - Manually trigger CVE fetch
• GET /api/stats - Get application statistics

Configuration

Environment Variables

• DATABASE_URL: PostgreSQL connection string
• NVD_API_KEY: Optional NVD API key for higher rate limits
• REACT_APP_API_URL: Backend API URL for frontend

Rule Templates

The application includes pre-configured rule templates for:

• Windows Process Execution
• Network Connections
• File Modifications

Additional templates can be added to the database via the rule_templates table.

SIGMA Rule Generation Logic

The rule generation process:

1. CVE Analysis: Analyzes CVE description and affected products
2. Template Selection: Chooses appropriate SIGMA rule template
3. Indicator Extraction: Extracts suspicious processes, ports, or file patterns
4. Rule Population: Fills template with CVE-specific data
5. Confidence Scoring: Assigns confidence level based on CVSS score

Template Matching

• Process Execution: Keywords like "process", "execution", "command"
• Network Connection: Keywords like "network", "remote", "connection"
• File Modification: Keywords like "file", "write", "filesystem"

Development

Local Development

1. Start the database:

docker-compose up -d db redis

2. Run the backend:

cd backend
pip install -r requirements.txt
uvicorn main:app --reload

3. Run the frontend:

cd frontend
npm install
npm start

Database Migration

The application automatically creates tables on startup. For manual schema changes:

# Connect to database
docker-compose exec db psql -U cve_user -d cve_sigma_db

# Run custom SQL
\i /path/to/migration.sql

SIGMA Rule Quality

Generated rules are marked as "experimental" and should be:

• Reviewed by security analysts
• Tested in a lab environment
• Tuned to reduce false positives
• Validated against real attack scenarios

Monitoring

Logs

View application logs:

# All services
docker-compose logs -f

# Specific service
docker-compose logs -f backend

Health Checks

The application includes health checks for database connectivity. Monitor with:

docker-compose ps

✅ Recent Fixes (July 2025)

• Fixed 404 CVE fetch error: Corrected NVD API 2.0 endpoint format and parameters
• Updated for current dates: Now properly fetches CVEs from July 2025 (current date)
• Improved API integration: Better error handling, fallback mechanisms, and debugging
• Enhanced date handling: Proper ISO-8601 format with UTC timezone
• API key integration: Correctly passes API keys in headers for higher rate limits

Troubleshooting

Common Issues

1. Frontend build fails with "npm ci" error: This is fixed in the current version. The Dockerfile now uses npm install instead of npm ci.
2. CVE Fetch returns 404: Fixed in latest version. The application now uses proper NVD API 2.0 format with current 2025 dates.
3. No CVEs being fetched:
   • Check if you have an NVD API key configured in .env for better rate limits
   • Use the "Test NVD API" button to verify connectivity
   • Check backend logs: docker-compose logs -f backend
4. Database Connection Error: Ensure PostgreSQL is running and accessible
5. Frontend Not Loading: Verify backend is running and CORS is configured
6. Rule Generation Issues: Check CVE description quality and template matching
7. Port conflicts: If ports 3000, 8000, or 5432 are in use, stop other services or modify docker-compose.yml

API Key Setup

For optimal performance, get a free NVD API key:

1. Visit: https://nvd.nist.gov/developers/request-an-api-key
2. Add to your .env file: NVD_API_KEY=your_key_here
3. Restart the application

Without an API key: 5 requests per 30 seconds With an API key: 50 requests per 30 seconds

Rate Limits

Without an API key, NVD limits requests to 5 per 30 seconds. With an API key, the limit increases to 50 per 30 seconds.

Security Considerations

• API Keys: Store NVD API keys securely using environment variables
• Database Access: Use strong passwords and restrict database access
• Network Security: Deploy behind a reverse proxy in production
• Rule Validation: Always validate generated SIGMA rules before deployment

Contributing

1. Fork the repository
2. Create a feature branch
3. Make changes and add tests
4. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For issues and questions:

1. Check the troubleshooting section
2. Review application logs
3. Open an issue on GitHub

Roadmap

Planned features:

• Custom rule template editor
• MITRE ATT&CK mapping
• Rule effectiveness scoring
• Export to SIEM platforms
• Advanced threat intelligence integration
• Machine learning-based rule optimization