Threat Detection with SIGMA Rules

Threat Detection with SIGMA Rules

June 17, 2020
Profile Icon

Jason Franscisco

Incident Response is the action that you take to restore the ability to deliver organization business service. It is also known as IT incident, computer incident, or security incident. The main objective of the Incident Response is to handle the situation in a way that restricts damage and reduces recovery time and costs. An organization uses the incident response to respond and manage the cyber-attacks.

Collaborative Incidence Response and Recovery

Source: researchgate.net


  1. Incident Detection is more difficult:
    Incident Response occurs in many different ways, which makes their identification more difficult. Like an un-authorized access to the resources of sensitive data, discrepancies in outgoing network traffic, configuration alterations and many other incidents go unnoticed.
  2. Threats are more complex and difficult to understand and analyze
    Incident response requires a vast range of skills, which include static and dynamic malware analysis, reverse engineering skills and forensic knowledge. In current situation, organizations are facing problem in finding the right experienced analyst, who can perform these complex operations.
  3. Alerts & incident volumes continue to increase steadily every year.
    On an average, every organization receives nearly 17000 alerts in a week, but most of the companies do not spend much time investigating these alerts. Many organizations also face challenges to optimize and prioritize the alerts.

The security teams detect these threats in real-time, manages incident response and performs forensic investigation at various points on the network.

SIEM solutions like ArcSight and Splunk enable analysts to gain a wide understanding of threats in their environment. This enables them to optimize the triage and remediation. Also speeds up the detection thus reducing the incident response time.

SIGMA is an open standard platform which defines the detections. It enables the re-use and sharing of analytics across various organizations.


Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner for SIEM system. This format is very flexible, easy to write and applicable to any type of log file.


Source: owasp.org


  • Sigma supports several SIEM tools like Elasticsearch, IBM QRadar and Splunk. It is intended to handle log files similar to Snort which is for network traffic and YARA for files.
  • It enables analytics to re-use and share across the organizations.
  • High level generic language for analytics
  • The most reliable method such as solving logging signature problem
  • Plain text YAML files
  • Easy Schema

Supported Formats:  

  • Splunk
  • QRadar
  • ArcSight
  • Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana)
  • Logpoint

Rule Format:

These rules specify detection signatures, which describes the searches on log data in generic form.  Each rule specifies a set of conditions that are required to satisfy the detection condition.

Rule Format


The following section explains the component attributes.

  • Title (Attribute: title): A title describes the detection rules.
  • Rule Identification (Attributes: id, related): Globally defined sigma rules that are based on a unique identifier in the id attribute.
  • Description (optional) (Attribute: description): This section, describes about the rule and malicious activity.
  • References (optional) (Attribute: reference): Provides a source of information in order to derive the rule.
  • Author (optional) (Attribute: author): The author of the rule.
  • Log Source (Attribute: logsource): This section describes the log source definition from the sigma rule.

It further contains 3 types of attributes that are discussed in the below section.

  • Product: Describes the product to match all the rules.
  • Service:  It should be restricted to events where the field names are set to the product logs.
  • Category:  This attribute allows you to select all log files that belongs to group of products.
  • Detection (Attribute: detection):  In this section, the search values in specific fields of log data are listed in selections.
  • Condition (Attribute: condition):  These selections are linked in a condition.
  • Level (Attribute: level):  It describes the severity of matches, may be used for filtering the rules.

Generating SIGMA rule for CVE-2009-3898

Vulnerability Analysis:

Nginx is vulnerable to “Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal”). Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Nginx before 0.7.63 and 0.8.x before 0.8.17, allows directory traversal and does not properly validate the directory traversal characters (../), an attacker can use these characters to move or copy files to different destination. Nginx enables WebDAV component that has permission to use the COPY and MOVE methods. This attack requires WebDAV “upload” permission.

We have downloaded the required version from here.

Now let's get back to the detection through log analysis and below is the access log from the vulnerable version of 0.7.16. - - [20/May/2020:10:03:54 +0530] "COPY /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" - - [20/May/2020:11:59:16 +0530] "MOVE /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" 

And the error log from the fixed version of 0.7.17  

  2020/05/20 13:51:31 [error] 18762#0: *5 client sent invalid "Destination" header:
"http://localhost/../var/www/abc.html", client:, server: localhost, request: "COPY /index.html HTTP/1.1", host: "localhost" 

2020/05/20 13:52:59 [error] 18762#0: *6 client sent invalid "Destination" header: "http://localhost/../var/www/abc.html", client:, server: localhost, request: "MOVE /index.html HTTP/1.1", host: "localhost" 

From the above fixed and vulnerable logs, we can conclude the detection patterns as follows.

  • In this vulnerable section, the request does contain "COPY" or "MOVE" methods with 204 response code.  
  • In this fixed section, the error log contains following message. 'client sent invalid "Destination" header'

This is the key phase where the analysts can find difficulty to define the customized rules for any SIEM tools. Each SIEM products contain different signatures, so a generic signature needs to be written as a common rule for any SIEM tool. In such cases, we can use Sigma to define the rules for both fixed and vulnerable detection as a single pattern.

We have written the Sigma rules based on our above detection. Here, in our research, we will use the Sigma format to describe the detection in the YAML file.

Sigma Rule for CVE-2009-3898

  title: CVE-2009-3898 Exploitation Attempt
id: cf98b0cf-0b0c-4af6-bd28-6cefabd58cf8
status: experimental
description: Detects the exploit attempt for Path Traversal Vulnerability
  - https://www.exploit-db.com/exploits/9829
author: Loginsoft Research unit
date: 2020/05/27
  product: nginx
  category: webserver
    sc-status: 204
      - 'COPY'
      - 'MOVE'
    c-uri: '*index.html'
    - 'client sent invalid "Destination" header'
  condition: selection or keywords
  - Unknown
level: medium

After writing the Sigma rule, we can use either uncoder or Sigmac to convert from the sigma rule to any other SIEM tool format.

  • uncoder is an open-source tool for SIEM search query language conversion.
  • Sigmac is a python command-line tool that performs the conversion from sigma rule to the target SIEM format.

In this section, we have used the uncoder tool and converted the rule from Sigma to Splunk query as below.

Splunk Query for CVE-2009-3898  

  ((sourcetype="nginx:plus:access" uri_path="*index.html" status="204" (http_method="COPY" OR http_method="MOVE")) OR (sourcetype="nginx:plus:error" "client sent invalid "Destination" header")) 

Upon executing the above query, we will get the following the results.

Splunk Query

Challenges in Rule Conversion

  • Usage of different field names
    Field name mapping from sigma rule to SIEM specific names.  
  • Rules refer to subsets of values which are environment-specific
    Use place holders

How is SIGMA useful in Incident Response?

Currently, there is a lack of a standardized description format to define the log format because there are several heterogeneous environments. SIGMA renders the rules into the queries that can be transformed into the equivalent rule for Splunk, ArcSight and many others.

The rule format is very flexible, easy to write and applicable to any type of log file. The main objective of SIGMA is to provide a free structured form in which developers or analysts can describe their detection methods and make it sharable.

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Learn more
white arrow pointing top right

About Loginsoft

For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.

Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.

In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.

Interested to learn more? Let’s start a conversation.

Book a meeting


Latest Articles

Get practical solutions to real-world challenges, straight from experts who conquered them.

View all our articles

Sign up to our Newsletter