diff --git a/pkgs/development/python-modules/pysigma-backend-splunk/default.nix b/pkgs/development/python-modules/pysigma-backend-splunk/default.nix new file mode 100644 index 000000000000..f3b122b4ecac --- /dev/null +++ b/pkgs/development/python-modules/pysigma-backend-splunk/default.nix @@ -0,0 +1,46 @@ +{ lib +, buildPythonPackage +, fetchFromGitHub +, poetry-core +, pysigma +, pytestCheckHook +, pythonOlder +}: + +buildPythonPackage rec { + pname = "pysigma-backend-splunk"; + version = "0.1.1"; + format = "pyproject"; + + disabled = pythonOlder "3.8"; + + src = fetchFromGitHub { + owner = "SigmaHQ"; + repo = "pySigma-backend-splunk"; + rev = "v${version}"; + hash = "sha256-AGT+7BKtINe2ukmomYyoUa5PHYAH1N0tUTtbyjMD+kw="; + }; + + nativeBuildInputs = [ + poetry-core + ]; + + propagatedBuildInputs = [ + pysigma + ]; + + checkInputs = [ + pytestCheckHook + ]; + + pythonImportsCheck = [ + "sigma.backends.splunk" + ]; + + meta = with lib; { + description = "Library to support Splunk for pySigma"; + homepage = "https://github.com/SigmaHQ/pySigma-backend-splunk"; + license = with licenses; [ lgpl21Only ]; + maintainers = with maintainers; [ fab ]; + }; +} diff --git a/pkgs/development/python-modules/pysigma-pipeline-crowdstrike/default.nix b/pkgs/development/python-modules/pysigma-pipeline-crowdstrike/default.nix new file mode 100644 index 000000000000..22f589d3b149 --- /dev/null +++ b/pkgs/development/python-modules/pysigma-pipeline-crowdstrike/default.nix @@ -0,0 +1,46 @@ +{ lib +, buildPythonPackage +, fetchFromGitHub +, poetry-core +, pysigma +, pytestCheckHook +, pythonOlder +}: + +buildPythonPackage rec { + pname = "pysigma-pipeline-crowdstrike"; + version = "0.1.3"; + format = "pyproject"; + + disabled = pythonOlder "3.8"; + + src = fetchFromGitHub { + owner = "SigmaHQ"; + repo = "pySigma-pipeline-crowdstrike"; + rev = "v${version}"; + hash = "sha256-JNJHKydMzKreN+6liLlGMT1CFBUr/IX8Ah+exddKR3g="; + }; + + nativeBuildInputs = [ + poetry-core + ]; + + propagatedBuildInputs = [ + pysigma + ]; + + checkInputs = [ + pytestCheckHook + ]; + + pythonImportsCheck = [ + "sigma.pipelines.crowdstrike" + ]; + + meta = with lib; { + description = "Library to support CrowdStrike pipeline for pySigma"; + homepage = "https://github.com/SigmaHQ/pySigma-pipeline-crowdstrike"; + license = with licenses; [ lgpl21Only ]; + maintainers = with maintainers; [ fab ]; + }; +} diff --git a/pkgs/development/python-modules/pysigma-pipeline-sysmon/default.nix b/pkgs/development/python-modules/pysigma-pipeline-sysmon/default.nix new file mode 100644 index 000000000000..e784ac1eca16 --- /dev/null +++ b/pkgs/development/python-modules/pysigma-pipeline-sysmon/default.nix @@ -0,0 +1,46 @@ +{ lib +, buildPythonPackage +, fetchFromGitHub +, poetry-core +, pysigma +, pytestCheckHook +, pythonOlder +}: + +buildPythonPackage rec { + pname = "pysigma-pipeline-sysmon"; + version = "0.1.1"; + format = "pyproject"; + + disabled = pythonOlder "3.8"; + + src = fetchFromGitHub { + owner = "SigmaHQ"; + repo = "pySigma-pipeline-sysmon"; + rev = "v${version}"; + hash = "sha256-BBJt2SAbnPEzIwJ+tXW4NmA4Nrb/glIaPlnmYHLoMD0="; + }; + + nativeBuildInputs = [ + poetry-core + ]; + + propagatedBuildInputs = [ + pysigma + ]; + + checkInputs = [ + pytestCheckHook + ]; + + pythonImportsCheck = [ + "sigma.pipelines.sysmon" + ]; + + meta = with lib; { + description = "Library to support Sysmon pipeline for pySigma"; + homepage = "https://github.com/SigmaHQ/pySigma-pipeline-sysmon"; + license = with licenses; [ lgpl21Only ]; + maintainers = with maintainers; [ fab ]; + }; +} diff --git a/pkgs/development/python-modules/pysigma/default.nix b/pkgs/development/python-modules/pysigma/default.nix new file mode 100644 index 000000000000..39ab5c9918b5 --- /dev/null +++ b/pkgs/development/python-modules/pysigma/default.nix @@ -0,0 +1,66 @@ +{ lib +, buildPythonPackage +, fetchFromGitHub +, fetchpatch +, poetry-core +, pyparsing +, pytestCheckHook +, pythonOlder +, pyyaml +}: + +buildPythonPackage rec { + pname = "pysigma"; + version = "0.3.2"; + format = "pyproject"; + + disabled = pythonOlder "3.8"; + + src = fetchFromGitHub { + owner = "SigmaHQ"; + repo = "pySigma"; + rev = "v${version}"; + hash = "sha256-V/E2rZqVrk0kIvk+hPhNcAifhMM/rN3mk3pB+CGd43w="; + }; + + nativeBuildInputs = [ + poetry-core + ]; + + propagatedBuildInputs = [ + pyparsing + pyyaml + ]; + + checkInputs = [ + pytestCheckHook + ]; + + patches = [ + # Switch to poetry-core, https://github.com/SigmaHQ/pySigma/pull/31 + (fetchpatch { + name = "switch-to-poetry-core.patch"; + url = "https://github.com/SigmaHQ/pySigma/commit/b7a852d18852007da90c2ec35bff347c97b36f07.patch"; + sha256 = "sha256-zgg8Bsc37W2uuQluFpIZT4jHCQaitY2ZgS93Wk6Hxt0="; + }) + ]; + + postPatch = '' + # https://github.com/SigmaHQ/pySigma/issues/32 + # https://github.com/SigmaHQ/pySigma/issues/33 + substituteInPlace pyproject.toml \ + --replace 'pyparsing = "^2.4.7"' 'pyparsing = "*"' \ + --replace 'pyyaml = "^5.3.1"' 'pyyaml = "*"' + ''; + + pythonImportsCheck = [ + "sigma" + ]; + + meta = with lib; { + description = "Library to parse and convert Sigma rules into queries"; + homepage = "https://github.com/SigmaHQ/pySigma"; + license = with licenses; [ lgpl21Only ]; + maintainers = with maintainers; [ fab ]; + }; +} diff --git a/pkgs/tools/security/sigma-cli/default.nix b/pkgs/tools/security/sigma-cli/default.nix new file mode 100644 index 000000000000..3bf4e7889124 --- /dev/null +++ b/pkgs/tools/security/sigma-cli/default.nix @@ -0,0 +1,50 @@ +{ lib +, fetchFromGitHub +, python3 +}: + +python3.pkgs.buildPythonApplication rec { + pname = "sigma-cli"; + version = "0.3.0"; + format = "pyproject"; + + src = fetchFromGitHub { + owner = "SigmaHQ"; + repo = pname; + rev = "v${version}"; + hash = "sha256-Nfd78Y35naDTzwodcdvJr/02CptcHxS717VGsR/QOuI="; + }; + + nativeBuildInputs = with python3.pkgs; [ + poetry-core + ]; + + propagatedBuildInputs = with python3.pkgs; [ + click + prettytable + pysigma + pysigma-backend-splunk + pysigma-pipeline-crowdstrike + pysigma-pipeline-sysmon + ]; + + checkInputs = with python3.pkgs; [ + pytestCheckHook + ]; + + postPatch = '' + substituteInPlace pyproject.toml \ + --replace 'prettytable = "^3.1.1"' 'prettytable = "*"' + ''; + + pythonImportsCheck = [ + "sigma.cli" + ]; + + meta = with lib; { + description = "Sigma command line interface"; + homepage = "https://github.com/SigmaHQ/sigma-cli"; + license = with licenses; [ lgpl21Plus ]; + maintainers = with maintainers; [ fab ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 7e9352cd86b4..da76e3eb9c6f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -9839,6 +9839,8 @@ with pkgs; slither-analyzer = with python3Packages; toPythonApplication slither-analyzer; + sigma-cli = callPackage ../tools/security/sigma-cli { }; + signify = callPackage ../tools/security/signify { }; # aka., pgp-tools diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 57c8e10d0b49..25bab7f31af6 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -7649,6 +7649,14 @@ in { pysideTools = callPackage ../development/python-modules/pyside/tools.nix { }; + pysigma = callPackage ../development/python-modules/pysigma { }; + + pysigma-backend-splunk = callPackage ../development/python-modules/pysigma-backend-splunk { }; + + pysigma-pipeline-crowdstrike = callPackage ../development/python-modules/pysigma-pipeline-crowdstrike { }; + + pysigma-pipeline-sysmon = callPackage ../development/python-modules/pysigma-pipeline-sysmon { }; + pysignalclirestapi = callPackage ../development/python-modules/pysignalclirestapi { }; pysigset = callPackage ../development/python-modules/pysigset { };