🖥️
Portfolio
  • About me
  • My Mission
  • License
  • Homelab
    • Server rack
      • Pictures
      • Hardware and software inventory
    • Test range
      • Malware lab
        • Remnux and Flare VM installation
      • Proxmox
        • How to backup VM's in Proxmox
      • Breach and Attack Simulation (BAS)
        • Install MITRE Caldera
        • MITRE Caldera demo
        • Install Atomic Red team
    • SIEM Architecture
      • ELK installation
      • Splunk install and configuration
      • Forwarding Sysmon logs to Splunk
      • Cribl Edge -> Cribl Stream
      • Cribl Edge -> Splunk
      • Cribl -> Amazon S3 bucket
    • Raspberry Pi
      • Cloudflare DDNS
      • OpenVPN on Raspberry Pi
      • Pi-Hole
      • Raspberry Pi project ideas
    • Privacy
  • CTF
    • Machines
      • MongoDB
      • Explosion
      • Lame
      • Preignition
      • Jerry
      • Synced
      • Appointment
      • Blue
      • Sequel
      • Netmon
    • PicoCTF
    • Exploit tool definitions
    • Cheat sheets
      • tmux
      • Linux
  • Cybersecurity
    • Purple team content
      • Detecting Discovery commands
    • Detection As Code (DAC)
      • Sigma CI/CD
      • DAC with Elastic SIEM
    • Use case repositories
    • Frameworks
    • Tools
    • Online resources
      • MITRE
      • Splunk
      • Machine Learning
      • Ethical Hacking
      • Podcasts
      • Threat Reports
      • Detection Engineering articles
  • AI/ML
    • Tools
      • D.I.A.N.A
      • Fabric
      • Run Ollama locally
      • Using Ollama & Fabric to build Sigma rules
    • Custom prompts
      • Lessons Learned
      • Create Sigma rules
  • Scripts
    • Python
      • Elastic DAC pipeline
  • Cloud projects
    • Cloud Resume Challenge - AWS
  • BOOK CLUB
    • Lists
Powered by GitBook
On this page
  1. AI/ML
  2. Tools

Using Ollama & Fabric to build Sigma rules

PreviousRun Ollama locallyNextCustom prompts

Last updated 6 months ago

In this blog we are going to learn how to use an oper source LLM (Ollama) to build SIgma rules. First we will run tests, analyze the logs in Splunk, and run a command to build our sigma from the Splunk raw log we identified.

Step 1: Collect Data

Start by gathering detailed network information from your Windows machine using the following commands:

  1. ipconfig /all This command provides comprehensive details about all network interfaces, including IP addresses, DNS servers, and other configuration settings.

  2. netsh interface show interface Use this command to view the status of network interfaces, including whether they are enabled or disabled and their current state.

  3. arp -a Display the ARP (Address Resolution Protocol) table, which maps IP addresses to MAC addresses on the local network.

  4. nbtstat -n Show the NetBIOS name table for the local computer, which is useful for troubleshooting network name resolution issues.

  5. net config View the configuration of the local network services, including network-related settings.

Step 2: Analyze raw Logs in Splunk

Use the following Splunk search command to view the raw log data:

index=* netsh interface show interface | table _raw

This command searches for logs within the specified index and displays the raw log data in a table format. Copy the raw log data for the next step.

To automate the process of creating Sigma rules, you need to have Fabric installed and configured. Fabric is an automation tool that can streamline various tasks.

Ensure that Ollama is installed. Ollama is used to build Sigma rules from raw log data. Refer to the installation instructions to ensure Ollama is correctly configured on your machine.

Step 5: Create Sigma Rules

With Fabric and Ollama set up, you can now create Sigma rules from your raw log data. Use the following command to process the data and generate Sigma rules:

pbpaste | fabric --pattern create_sigma_rules --model llama3.1:8b --stream

This command performs the following actions:

  • pbpaste: Retrieves the raw log data from your clipboard.

  • fabric --pattern create_sigma_rules: Uses Fabric to process the data and create Sigma rules.

  • --model llama3.1:8b: Specifies the model to be used by Fabric for rule creation.

  • --stream: Indicates that the data should be processed in streaming mode.

After running the command, review the output of the model. You can then copy and paste the generated Sigma rule into your text editor or SIEM (Security Information and Event Management) system of choice.

Step 3: Install and Configure Fabric
Step 4: Install Ollama
Using GPT-4o-Mini