PyPI - txt2detection - Versions diffs - 1.1.1__tar.gz → 1.1.2__tar.gz - Mend

txt2detection 1.1.1tar.gz → 1.1.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of txt2detection might be problematic. Click here for more details.

Files changed (64) hide show

{txt2detection-1.1.1 → txt2detection-1.1.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.1.1
+Version: 1.1.2
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues

{txt2detection-1.1.1 → txt2detection-1.1.2}/docs/README.md RENAMED Viewed

@@ -13,6 +13,7 @@ https://raw.githubusercontent.com/muchdogesec/stix4doge/refs/heads/main/objects/
 Because we use custom properties in the Indicator object, we also import an Extension Definition object into all bundles
 https://raw.githubusercontent.com/muchdogesec/stix2extensions/refs/heads/main/extension-definitions/properties/indicator-sigma_rule.json
+https://raw.githubusercontent.com/muchdogesec/stix2extensions/refs/heads/main/extension-definitions/scos/data-source.json
 ### AI creation mode

{txt2detection-1.1.1 → txt2detection-1.1.2}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "txt2detection"
-version = "1.1.1"
+version = "1.1.2"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule."

{txt2detection-1.1.1 → txt2detection-1.1.2}/tests/files/sigma-rule-master.yml RENAMED Viewed

@@ -20,6 +20,7 @@ tags:
     - attack.t1025
     - attack.command-and-control
     - attack.credential_access # not sigma spec format, but still supported
+    - cve.2025-12325
     - attack.t1661 # will fail is mobile
     - custom.tag
 logsource:

{txt2detection-1.1.1 → txt2detection-1.1.2}/tests/manual-tests/input-file-mode.md RENAMED Viewed

@@ -6,7 +6,7 @@
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check TLP" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --tlp_level red \
   --report_id e91a49ba-f935-4844-8b37-0d5e963f0683
 ```
@@ -19,7 +19,7 @@ Should fail because no namespace
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check bad labels" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --labels "label1","label_2" \
   --report_id 139d8b41-c5c8-48fa-aa25-39a54dfa1227
 ```
@@ -30,7 +30,7 @@ Should pass
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check labels" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --labels "namespace.label1" "namespace.label_2" \
   --report_id a3731edf-e834-43d2-95b8-e03f37bde9ba
 ```
@@ -43,7 +43,7 @@ Should fail because disallowed tag
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Disallowed tag" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --labels "tlp.red" \
   --report_id a6f2aaff-4e33-4280-bb01-ab1bd3b95362
 ```
@@ -54,7 +54,7 @@ Should have cve tag and matching vulnerability object
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "CVE tags" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --labels "cve.2025-3593" \
   --report_id fab3707e-00fc-4f35-9d6d-e72dc0b6ba08
 ```
@@ -65,7 +65,7 @@ Should have attack tags and matching attack pattern and x-mitre-tactic objects
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "ATT&CK tags tag" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --labels "attack.t1071.001" "attack.command-and-control" \
   --report_id 940e8807-381e-41df-a27e-08914bafd93c
 ```
@@ -76,7 +76,7 @@ python3 txt2detection.py file \
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check custom identity" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --use_identity '{"type":"identity","spec_version":"2.1","id":"identity--8ef05850-cb0d-51f7-80be-50e4376dbe63","created_by_ref":"identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5","created":"2020-01-01T00:00:00.000Z","modified":"2020-01-01T00:00:00.000Z","name":"siemrules","description":"https://github.com/muchdogesec/siemrules","identity_class":"system","sectors":["technology"],"contact_information":"https://www.dogesec.com/contact/","object_marking_refs":["marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487","marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb"]}' \
   --report_id f6f5bcb9-095f-47fb-b286-92b6a2aee221
 ```
@@ -87,7 +87,7 @@ python3 txt2detection.py file \
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check created by time" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --created 2010-01-01T00:00:00 \
   --report_id 17ea21d3-a73d-44ec-bb12-eb1d34890027
 ```
@@ -99,7 +99,7 @@ python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "External references" \
   --external_refs txt2stix=demo1 source=id \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --report_id 79be13c7-15dd-4b66-a29a-8161fca77877
 ```
@@ -110,7 +110,7 @@ python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Reference URLs" \
   --reference_urls "https://www.google.com/" "https://www.facebook.com/" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --report_id a9928bf1-b0ab-4748-8ab8-47eb7a34ca80
 ```
@@ -120,19 +120,17 @@ python3 txt2detection.py file \
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check Vulmatch / CTI Butler" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --report_id 9c78f6e4-4955-4c48-91f0-c669f744b44e
 ```
 ## Check license
 ```shell
 python3 txt2detection.py file \
   --input_file tests/files/CVE-2024-56520.txt \
   --name "Check license" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --license MIT \
   --report_id e37506ca-b3e4-45b8-8205-77b815b88d7f
 ```
@@ -143,6 +141,6 @@ python3 txt2detection.py file \
 python3 txt2detection.py file \
   --input_file tests/files/observables.txt \
   --name "Check observables" \
-  --ai_provider openai:gpt-4o \
+  --ai_provider openai:gpt-5 \
   --report_id 4aa5924b-2081-42ed-9934-ebf200427302
 ```

{txt2detection-1.1.1 → txt2detection-1.1.2}/tests/manual-tests/input-sigma-mode.md RENAMED Viewed

@@ -9,7 +9,6 @@ python3 txt2detection.py sigma \
   --sigma_file tests/files/sigma-rule-master.yml \
   --name "Complete Sigma Rule" \
   --create_attack_navigator_layer \
-  --ai_provider openai:gpt-5 \
   --report_id a18e76d1-f152-4b87-a552-d46f41afd637
 ```
@@ -21,14 +20,21 @@ Check that derived is created (original rule id is 1667a172-ed4c-463c-9969-efd92
 python3 txt2detection.py sigma \
   --sigma_file tests/files/sigma-rule-master.yml \
   --name "Complete Sigma Rule" \
-  --create_attack_navigator_layer \
-  --ai_provider openai:gpt-5
+  --create_attack_navigator_layer
 ```
 Check that derived is created (original rule id is 1667a172-ed4c-463c-9969-efd92195319a). Rule id generation (and report) is random. This happens because we can't be sure all id's in Rules uploaded will conform to UUIDv4 RFC.
 ### Check required properties CLI overide
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-no-title.yml \
+  --report_id 272daf95-2790-4fd5-9ca6-ee8cef08315d
+```
+Should fail.
 ```shell
 python3 txt2detection.py sigma \
   --sigma_file tests/files/sigma-rule-no-title.yml \
@@ -49,23 +55,6 @@ python3 txt2detection.py sigma \
   --report_id 655f0689-5209-4ad5-a6de-3f198c696060
 ```
-## Bad test cases
-### No title
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-no-title.yml \
-  --name "No title"
-```
-Title, but report name is override by CLI input
 ## Check dates
 No `date` or `modified` (expect script run time used in rule AND STIX objects)
@@ -166,7 +155,7 @@ python3 txt2detection.py sigma \
   --report_id 599f43dc-ecaf-421c-ae01-ba8b2d705756
 ```
-No TLP
+No TLP (will default to clear)
 ```shell
 python3 txt2detection.py sigma \
@@ -300,8 +289,6 @@ python3 txt2detection.py sigma \
   --report_id d2d01afa-dc55-4a80-8d62-15d154450112
 ```
 ## Attack Navigator
 ### Enterprise
@@ -311,9 +298,5 @@ python3 txt2detection.py sigma \
   --sigma_file tests/files/sigma-rule-attack-enterprise.yml \
   --name "Attack Navigator Enterprise" \
   --report_id a18e76d1-f152-4b87-a552-d46f41afd637 \
-  --create_attack_navigator_layer \
-  --ai_provider openai:gpt-5 \
+  --create_attack_navigator_layer
 ```
-### Mobile / ICS

{txt2detection-1.1.1 → txt2detection-1.1.2}/tests/manual-tests/input-text-mode.md RENAMED Viewed

@@ -4,19 +4,18 @@ Basic input
 ```shell
 python3 txt2detection.py text \
-  --input_text "a rule detecting suspicious logins on windows systems and another deteting suspicious logins on unix systems" \
+  --input_text "a rule detecting suspicious logins on windows systems" \
   --name "Testing input txt" \
   --ai_provider openai:gpt-5 \
   --create_attack_navigator_layer \
   --report_id ca20d4a1-e40d-47a9-a454-1324beff4727
 ```
-## Write multiple rules
+## Write multiple rules and tag them with ATT&CK/CVE tags
 ```shell
 python3 txt2detection.py text \
-  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com." \
+  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com. The rule detects CVE-2021-1675 and the ATT&CK Technique T1566" \
   --name "Multi rule" \
   --ai_provider openai:gpt-5 \
   --create_attack_navigator_layer \

{txt2detection-1.1.1 → txt2detection-1.1.2}/txt2detection/ai_extractor/prompts.py RENAMED Viewed

@@ -18,7 +18,7 @@ Return the result as a **JSON output**, ensuring that each dictionary represents
 - `"title"`: A concise, descriptive title for the rule.
 - `"description"`: A summary of the rule, explaining its purpose and detection logic.
 - `"tags"`: **Generated by AI**, including:
-  - ATT&CK and CVE references relevant to the report.
+  - ATT&CK Technique IDs, ATT&CK Sub-technique IDs and CVE IDs relevant to the report.
 - `"falsepositives"`: Please describe situations where this detection rule might trigger false positive detections. Put each situation description as a new list item
 - `"logsources"`: Valid sigma rule logsource
 - `"detection"`: Valid sigma rule detection

txt2detection-1.1.1/tests/files/sigma-rule-attack-flow.yml DELETED Viewed

@@ -1,25 +0,0 @@
-title: Attack Flow demo
-id: 7894eba6-b0e5-48d9-be52-26bf5a556e45
-status: test
-description: Build an Attack Flow from a Sigma Rule
-references:
-    - https://www.dogesec.com
-author: dogesec
-date: 2020-01-01
-modified: 2020-01-02
-tags:
-    - tlp.clear
-    - attack.t1547
-    - attack.t1671
-    - attack.t1025
-logsource:
-    product: okta
-    service: okta
-detection:
-    selection:
-        eventtype:
-            - policy.lifecycle.update
-            - policy.lifecycle.delete
-    condition: selection
-level: low
-license: MIT