Skip to content

Instantly share code, notes, and snippets.

@FrankHassanabad

FrankHassanabad/yj_wrapper.sh

Created January 13, 2020 20:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FrankHassanabad/59b15410e408827c68cdcb19a36dde80 to your computer and use it in GitHub Desktop.
Save FrankHassanabad/59b15410e408827c68cdcb19a36dde80 to your computer and use it in GitHub Desktop.
Download ZIP
Converts rules from json to yaml to toml and back again
Raw
yj_wrapper.sh
#!/bin/sh
# Download yj from:
# https://github.com/sclevine/yj/releases
# such as wget https://github.com/sclevine/yj/releases/download/v4.0.0/yj-macos
#
# Then chmod 755 ./yj-wrapper
# Go to your pre-packaged rules and run this:
# yj-wrapper.sh
rm -rf ./yml
rm -rf ./toml
rm -rf ./json_compare
mkdir -p yml
mkdir -p toml
mkdir -p json_compare/yml
mkdir -p json_compare/toml
for f in *.json ; do
cat $f | jq -S > ./json_compare/$f
cat $f | ./yj-macos -jy > yml/$(basename -- "$f" .json).yml
cat $f | ./yj-macos -jt > toml/$(basename -- "$f" .json).toml
done
# Ensure everything is the same or we will not be able to return back to where we were
# This is just a check where we re-convert everything back to json and then do a compare
# by sorting JSON keys
for f in *.json ; do
cat yml/$(basename -- "$f" .json).yml | ./yj-macos -yj | jq -S . > ./json_compare/yml/$f
cat toml/$(basename -- "$f" .json).toml | ./yj-macos -tj | jq -S . > ./json_compare/toml/$f
done
# This is not a direct 1-1 mapping and you should see a few errors around null if you do a
# cat diff.txt
diff ./json_compare ./json_compare/toml > diff-notes.txt
rm -Rf ./json_compare
@FrankHassanabad
Copy link
Author

Diff output will look like this:

diff ./json_compare/command_shell_started_by_internet_explorer.json ./json_compare/toml/command_shell_started_by_internet_explorer.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/command_shell_started_by_powershell.json ./json_compare/toml/command_shell_started_by_powershell.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/command_shell_started_by_svchost.json ./json_compare/toml/command_shell_started_by_svchost.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_hping_activity.json ./json_compare/toml/linux_hping_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_iodine_activity.json ./json_compare/toml/linux_iodine_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_java_process_connecting_to_the_internet.json ./json_compare/toml/linux_java_process_connecting_to_the_internet.json
10d9
< "alias": null,
35d33
< "alias": null,
60d57
< "alias": null,
85d81
< "alias": null,
diff ./json_compare/linux_kernel_module_activity.json ./json_compare/toml/linux_kernel_module_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_mknod_activity.json ./json_compare/toml/linux_mknod_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_netcat_network_connection.json ./json_compare/toml/linux_netcat_network_connection.json
10d9
< "alias": null,
35d33
< "alias": null,
60d57
< "alias": null,
diff ./json_compare/linux_nmap_activity.json ./json_compare/toml/linux_nmap_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_nping_activity.json ./json_compare/toml/linux_nping_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_process_started_in_temp_directory.json ./json_compare/toml/linux_process_started_in_temp_directory.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_ptrace_activity.json ./json_compare/toml/linux_ptrace_activity.json
10d9
< "alias": null,
diff ./json_compare/linux_rawshark_activity.json ./json_compare/toml/linux_rawshark_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_strace_activity.json ./json_compare/toml/linux_strace_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/linux_tcpdump_activity.json ./json_compare/toml/linux_tcpdump_activity.json
10d9
< "alias": null,
diff ./json_compare/linux_unusual_shell_activity.json ./json_compare/toml/linux_unusual_shell_activity.json
10d9
< "alias": null,
35d33
< "alias": null,
60d57
< "alias": null,
diff ./json_compare/linux_web_download.json ./json_compare/toml/linux_web_download.json
10d9
< "alias": null,
diff ./json_compare/linux_whoami_commmand.json ./json_compare/toml/linux_whoami_commmand.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/powershell_network_connection.json ./json_compare/toml/powershell_network_connection.json
10d9
< "alias": null,
35d33
< "alias": null,
diff ./json_compare/process_started_by_acrobat_reader_possible_payload.json ./json_compare/toml/process_started_by_acrobat_reader_possible_payload.json
10d9
< "alias": null,
diff ./json_compare/process_started_by_ms_office_program_possible_payload.json ./json_compare/toml/process_started_by_ms_office_program_possible_payload.json
10d9
< "alias": null,
diff ./json_compare/search_windows_10.json ./json_compare/toml/search_windows_10.json
10d9
< "alias": null,
34d32
< "alias": null,
diff ./json_compare/suspicious_process_started_by_a_script.json ./json_compare/toml/suspicious_process_started_by_a_script.json
10d9
< "alias": null,
Only in ./json_compare: toml
diff ./json_compare/windows_image_load_from_a_temp_directory.json ./json_compare/toml/windows_image_load_from_a_temp_directory.json
10d9
< "alias": null,
diff ./json_compare/windows_mimikatz_activity.json ./json_compare/toml/windows_mimikatz_activity.json
10d9
< "alias": null,
diff ./json_compare/windows_net_command_activity_by_the_system_account.json ./json_compare/toml/windows_net_command_activity_by_the_system_account.json
10d9
< "alias": null,
diff ./json_compare/windows_net_user_command_activity.json ./json_compare/toml/windows_net_user_command_activity.json
10d9
< "alias": null,
diff ./json_compare/windows_netcat_activity.json ./json_compare/toml/windows_netcat_activity.json
10d9
< "alias": null,
diff ./json_compare/windows_netcat_network_activity.json ./json_compare/toml/windows_netcat_network_activity.json
10d9
< "alias": null,
diff ./json_compare/windows_nmap_activity.json ./json_compare/toml/windows_nmap_activity.json
10d9
< "alias": null,
diff ./json_compare/windows_nmap_scan_activity.json ./json_compare/toml/windows_nmap_scan_activity.json
10d9
< "alias": null,
diff ./json_compare/windows_process_started_by_the_java_runtime.json ./json_compare/toml/windows_process_started_by_the_java_runtime.json
10d9
< "alias": null,
diff ./json_compare/windows_whoami_command_activity.json ./json_compare/toml/windows_whoami_command_activity.json
10d9
< "alias": null,
Only in ./json_compare: yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment