Sync upstream features; preserve fork KV scanner, parsers, verifier

Brought in 35 upstream commits (MITRE heatmap, health score, dependency map, PowerQuery playground, onboarding tracker, product grouping, modern UI redesign). Preserved fork additions: backend/routers/quality.py KV scanner, pattern refs, JS keys, JSON mode, /parsers + /sync-from-sdl endpoints parsers/ 96 OCSF + tenant parsers tools/stormshield-verify/ end-to-end ingest regression test .gitignore un-ignored parsers/* CHANGES.md, PATCHES.md
2026-06-08 12:33:51 +00:00 · 2026-05-22 18:19:52 +02:00
parent a7ebcac9a6
commit 7c1687efce
102 changed files with 13912 additions and 178 deletions
@@ -0,0 +1,152 @@
+{
+  // Linux syslog/auditd parser — OCSF v1.3.0
+  attributes: {
+    "metadata.version":             "1.3.0",
+    "metadata.product.vendor_name": "Linux",
+    "metadata.product.name":        "Linux OS",
+    "metadata.log_provider":        "syslog",
+    "Category":               "host",
+    "dataSource.vendor":      "Linux",
+    "dataSource.name":        "Linux OS",
+    "dataSource.category":    "host",
+    "category_uid":           1,
+    "category_name":          "System Activity",
+    "class_uid":              1001,
+    "class_name":             "File System Activity",
+    "activity_id":            0,
+    "activity_name":          "Unknown",
+    "type_uid":               100100,
+    "status_id":              1,
+    "status":                 "Success",
+    "severity_id":            1,
+    "severity":               "Informational"
+  },
+
+  patterns: {
+    ipv4:   "\\d+\\.\\d+\\.\\d+\\.\\d+",
+    word:   "\\S+",
+    rest:   ".*",
+    creds:  "(mimikatz|hashdump|secretsdump|kerbrute)",
+    revshell: ".*socket\\.socket.*"
+  },
+
+  formats: [
+    // SSH failed authentication
+    {
+      id: "ssh_failed",
+      attributes: {
+        class_uid: 2004, class_name: "Detection Finding",
+        category_uid: 2, category_name: "Findings",
+        activity_id: 1, activity_name: "Create",
+        type_uid: 200401,
+        finding_title: "Linux SSH Authentication Failure",
+        severity_id: 4, severity: "High",
+        disposition_id: 2, disposition: "Blocked"
+      },
+      format: ".*Failed password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*",
+      halt: true
+    },
+
+    // SSH successful authentication
+    {
+      id: "ssh_success",
+      attributes: {
+        class_uid: 3002, class_name: "Authentication",
+        category_uid: 3, category_name: "IAM",
+        activity_id: 1, activity_name: "Logon",
+        type_uid: 300201,
+        status_id: 1, status: "Success"
+      },
+      format: ".*Accepted password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*",
+      halt: true
+    },
+
+    // sudo NOT in sudoers (priv-esc attempt)
+    {
+      id: "sudo_not_in_sudoers",
+      attributes: {
+        class_uid: 2004, class_name: "Detection Finding",
+        category_uid: 2, category_name: "Findings",
+        activity_id: 1, activity_name: "Create",
+        type_uid: 200401,
+        finding_title: "Linux Sudo Not In Sudoers",
+        severity_id: 5, severity: "Critical",
+        disposition_id: 2, disposition: "Blocked"
+      },
+      format: ".*sudo: $user_name=word$ : user NOT in sudoers ; TTY=$tty=word$ ; PWD=$pwd=word$ ; USER=$target_user=word$ ; COMMAND=$process_cmd_line=rest$",
+      halt: true
+    },
+
+    // useradd — new user account created
+    {
+      id: "useradd",
+      attributes: {
+        class_uid: 3001, class_name: "Account Change",
+        category_uid: 3, category_name: "IAM",
+        activity_id: 1, activity_name: "Create",
+        type_uid: 300101,
+        finding_title: "Linux New User Account Created",
+        severity_id: 4, severity: "High"
+      },
+      format: ".*useradd\\[$pid=word$\\]: new user: name=$new_user=word$, UID=$uid=word$, GID=$gid=word$.*",
+      halt: true
+    },
+
+    // Mimikatz / credential dumping signatures
+    {
+      id: "credential_dump",
+      attributes: {
+        class_uid: 2004, class_name: "Detection Finding",
+        category_uid: 2, category_name: "Findings",
+        type_uid: 200401,
+        finding_title: "Linux Credential Dumping Tool",
+        severity_id: 5, severity: "Critical",
+        disposition_id: 2, disposition: "Blocked"
+      },
+      format: ".*$tool=creds$.*",
+      halt: true
+    },
+
+    // Reverse shell (python -c socket)
+    {
+      id: "reverse_shell",
+      attributes: {
+        class_uid: 2004, class_name: "Detection Finding",
+        category_uid: 2, category_name: "Findings",
+        type_uid: 200401,
+        finding_title: "Linux Reverse Shell Execution",
+        severity_id: 5, severity: "Critical",
+        disposition_id: 2, disposition: "Blocked"
+      },
+      format: ".*python$ver=word$ -c $cmd=revshell$.*",
+      halt: true
+    },
+
+    // Generic auditd EXECVE
+    {
+      id: "auditd_execve",
+      attributes: {
+        class_uid: 1007, class_name: "Process Activity",
+        category_uid: 1, category_name: "System Activity",
+        activity_id: 1, activity_name: "Launch",
+        type_uid: 100701
+      },
+      format: ".*auditd\\[$pid=word$\\]: EXECVE argc=$argc=word$ a0=\"$process_name=word$\" $cmdline=rest$",
+      halt: true
+    },
+
+    // Cron job executed (suspicious if from /tmp/.hidden)
+    {
+      id: "cron_suspicious",
+      attributes: {
+        class_uid: 2004, class_name: "Detection Finding",
+        category_uid: 2, category_name: "Findings",
+        type_uid: 200401,
+        finding_title: "Linux Suspicious Cron Job",
+        severity_id: 4, severity: "High"
+      },
+      format: ".*cron\\[$pid=word$\\]: \\($cron_user=word$\\) CMD \\($cron_cmd=rest$\\)",
+      halt: true
+    }
+  ]
+}