Sigma Rulezzz

4 min readOct 6, 2019

An Article About Cons and Pros of the Sigma Rules.

Intro

In this post, I want to summarize the cons and pros of the Sigma, which is used with SIEM and LM (log management) tools. If you don’t know much about Sigma you should first read the official GitHub page for more information [1].

Problem Definition

Before explaining what the Sigma is, first I must explain why we need Sigma and how this need arose.

Threat hunters and cybersecurity analysts need to analyze logs and log patterns to find out known or unknown threats.
There are so many different SIEM and LM solutions and vendors in the market and none of them uses the same or similar working mechanism.
Generally, in SIEM and LM solutions, you cannot export rules, filters, and searches. Even if these solutions have the ability to export rules and filters, these features don’t work properly. And engineers have to write these rules and filters again and again.
Sharing, copying/pasting or converting filters, rules, and searches between the same vendor is generally problematic and between different vendors is impossible.
In MSSP world, engineers generally manage different kinds of products (and vendors) so engineers have to write rules, filters, and searches for every instance.

What is Sigma Rules

Sigma is created by Florian Roth and 0.1 version is issued in GitHub on Dec 9, 2017. In its official GitHub page, Sigma is defined as “Sigma is for log files what Snort is for network traffic and YARA is for files.”[1] Sigma uses a simple YAML configuration file for detecting specific patterns in raw logs. And Sigma calls this files as Sigma Rules just like YARA and Snort. With Sigma Rules, we can detect almost every pattern in any log which is stored.

What Are The Benefits

Because Sigma uses cleartext, human-readable, easy to understand YAML files; developing and sharing filters, rules, and searches is easy. Filters, rules, and searches that are written once can be used whenever you need that means it is reusable. If you manage more than one product and working in several projects, reusability of the sigma rules saves time. And as we all know that time is money.

Due to the sharing and developing capabilities, Sigma’s popularity increasing day by day and Sigma are used both in community and commercial projects too.

Who can use sigma rules

Sigma rules can be used in SoC, MSSP and security teams by

Threat hunters
Cybersecurity analysts
Blue team members
SoC stuff

How Can We Use It

We can use Sigma Rules for two different purposes, one is for developing and sharing purpose and the other is for using in the SIEM production environment.

For developing and sharing purposes, you can write down rules and share any platform you like. It can be any wiki platform, git platform or even a digital notepad.

You can use your own sigma rules, community-created rules or commercial rules in SIEM and LM products. All you need is converting sigma rules to your products rule type. You can convert sigma rules with Sigmac tool which is also part of the project. Sigmac is a command-line tool that is developed with Python, you can download, install and use any Python supported OS. And also there are free online sigma write and translate editors on the internet [4]. Sigmac now supports commercial products like ArcSight, Splunk, Qradar, etc. and community-driven ELK based products.

When It Fails?

Sigma is a generic SIEM filter and rule developing language, it is beautiful, easy to use, elastic and scalable but it also some disadvantages. I listed these disadvantages below.

If the time window is greater than a month, search performance will decrease dramatically, because keeping raw logs need huge storage and finding the exact phrase in this huge log need enormous CPU, RAM, and Disk I/O.
Even if sigma has a conversion tool (Sigmac) it doesn’t work perfectly and does not support all vendors. After the conversion process, you may need to tune filters and rules in the product interface.
If we make an analogy, Sigma rules are similar to anti-virüs signatures. So if the number of sigma rules which are used as alert increases, performance problems will probably occur as mentioned before.
Generally, sigma rules are written for specific use cases and if you want to detect known threat you have to write down a lot of rules and these rules may not be used in other use cases.

Thoughts About The Future of Sigma

Sigma is a very useful project but some points need to be improved. Even if Sigma rules have so many configurable parameters, these parameters are connected only with logs and log fields specific. By using this approach only filter and search specific alerts can be created. If you want to create correlation, Sigma Rules are insufficient and don’t meet these advanced needs. I think new versions of the Sigma will cover these requirements and new complex parameters are going to be added. With these improvements, Sigma Project will allow us to develop simple and advanced correlations.