auto_sigma_rule_generator/README.md

CVE-SIGMA Auto Generator

An automated platform that fetches CVE data and automatically generates SIGMA rules for threat detection.

Features

• Automated CVE Fetching: Regularly polls the NVD (National Vulnerability Database) for new CVEs
• Intelligent SIGMA Rule Generation: Automatically creates SIGMA rules based on CVE characteristics
• Modern Web Interface: React-based UI for browsing CVEs and managing SIGMA rules
• Real-time Updates: Background tasks keep CVE data current
• Rule Templates: Configurable templates for different types of vulnerabilities
• Docker Compose: Easy deployment and orchestration

Architecture

• Backend: FastAPI with SQLAlchemy ORM
• Frontend: React with Tailwind CSS
• Database: PostgreSQL
• Cache: Redis (optional)
• Containerization: Docker & Docker Compose

Quick Start

Prerequisites

• Docker and Docker Compose
• (Optional) NVD API Key for increased rate limits

Setup

1. Clone the repository:

git clone <repository-url>
cd cve-sigma-generator

2. Quick Start (Recommended):

chmod +x start.sh
./start.sh

3. Manual Setup:

# Copy environment file
cp .env.example .env

# (Optional) Edit .env and add your NVD API key
nano .env

# Start the application
docker-compose up -d --build

4. Wait for services to initialize (about 30-60 seconds)

5. Access the application:

   • Frontend: http://localhost:3000
   • Backend API: http://localhost:8000
   • API Documentation: http://localhost:8000/docs

First Run

The application will automatically:

1. Initialize the database with rule templates
2. Start fetching recent CVEs from NVD
3. Generate SIGMA rules for each CVE
4. Continue polling for new CVEs every hour

Usage

Web Interface

The web interface provides three main sections:

1. Dashboard: Overview statistics and recent CVEs
2. CVEs: Complete list of all fetched CVEs with details
3. SIGMA Rules: Generated detection rules organized by CVE

Manual CVE Fetch

You can trigger a manual CVE fetch using the "Fetch New CVEs" button in the dashboard or via API:

curl -X POST http://localhost:8000/api/fetch-cves

API Endpoints

• GET /api/cves - List all CVEs
• GET /api/cves/{cve_id} - Get specific CVE details
• GET /api/sigma-rules - List all SIGMA rules
• GET /api/sigma-rules/{cve_id} - Get SIGMA rules for specific CVE
• POST /api/fetch-cves - Manually trigger CVE fetch
• GET /api/stats - Get application statistics

Configuration

Environment Variables

• DATABASE_URL: PostgreSQL connection string
• NVD_API_KEY: Optional NVD API key for higher rate limits
• REACT_APP_API_URL: Backend API URL for frontend

Rule Templates

The application includes pre-configured rule templates for:

• Windows Process Execution
• Network Connections
• File Modifications

Additional templates can be added to the database via the rule_templates table.

SIGMA Rule Generation Logic

The rule generation process:

1. CVE Analysis: Analyzes CVE description and affected products
2. Template Selection: Chooses appropriate SIGMA rule template
3. Indicator Extraction: Extracts suspicious processes, ports, or file patterns
4. Rule Population: Fills template with CVE-specific data
5. Confidence Scoring: Assigns confidence level based on CVSS score

Template Matching

• Process Execution: Keywords like "process", "execution", "command"
• Network Connection: Keywords like "network", "remote", "connection"
• File Modification: Keywords like "file", "write", "filesystem"

Development

Local Development

1. Start the database:

docker-compose up -d db redis

2. Run the backend:

cd backend
pip install -r requirements.txt
uvicorn main:app --reload

3. Run the frontend:

cd frontend
npm install
npm start

Database Migration

The application automatically creates tables on startup. For manual schema changes:

# Connect to database
docker-compose exec db psql -U cve_user -d cve_sigma_db

# Run custom SQL
\i /path/to/migration.sql

SIGMA Rule Quality

Generated rules are marked as "experimental" and should be:

• Reviewed by security analysts
• Tested in a lab environment
• Tuned to reduce false positives
• Validated against real attack scenarios

Monitoring

Logs

View application logs:

# All services
docker-compose logs -f

# Specific service
docker-compose logs -f backend

Health Checks

The application includes health checks for database connectivity. Monitor with:

docker-compose ps

Troubleshooting

Common Issues

1. Frontend build fails with "npm ci" error: This is fixed in the current version. The Dockerfile now uses npm install instead of npm ci.
2. CVE Fetch Failing: Check NVD API rate limits or network connectivity
3. Database Connection Error: Ensure PostgreSQL is running and accessible
4. Frontend Not Loading: Verify backend is running and CORS is configured
5. Rule Generation Issues: Check CVE description quality and template matching
6. Port conflicts: If ports 3000, 8000, or 5432 are in use, stop other services or modify docker-compose.yml

Rate Limits

Without an API key, NVD limits requests to 5 per 30 seconds. With an API key, the limit increases to 50 per 30 seconds.

Security Considerations

• API Keys: Store NVD API keys securely using environment variables
• Database Access: Use strong passwords and restrict database access
• Network Security: Deploy behind a reverse proxy in production
• Rule Validation: Always validate generated SIGMA rules before deployment

Contributing

1. Fork the repository
2. Create a feature branch
3. Make changes and add tests
4. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For issues and questions:

1. Check the troubleshooting section
2. Review application logs
3. Open an issue on GitHub

Roadmap

Planned features:

• Custom rule template editor
• MITRE ATT&CK mapping
• Rule effectiveness scoring
• Export to SIEM platforms
• Advanced threat intelligence integration
• Machine learning-based rule optimization