SigmaHQ · thomaspatzke · Nov 14, 2023 · Nov 14, 2023 · Nov 14, 2023 · Nov 14, 2023
diff --git a/sigma/cli/check.py b/sigma/cli/check.py
@@ -1,14 +1,15 @@
 import pathlib
+from collections import Counter
+from sys import stderr
 from textwrap import fill
+
 import click
-from collections import Counter
 from prettytable import PrettyTable
-from sys import stderr
 
-from sigma.exceptions import SigmaConditionError, SigmaError
 from sigma.cli.rules import load_rules
-from sigma.validation import SigmaValidator
+from sigma.exceptions import SigmaConditionError, SigmaError
 from sigma.plugins import InstalledSigmaPlugins
+from sigma.validation import SigmaValidator
 
 plugins = InstalledSigmaPlugins.autodiscover()
 validators = plugins.validators
@@ -42,25 +43,41 @@
     show_default=True,
     help="Fail on Sigma rule validation issues.",
 )
+@click.option(
+    "--exclude",
+    "-e",
+    default=[],
+    show_default=True,
+    multiple=True,
+    help="List of validators to exclude from the validation. Repeat --exclude for multiple exclusions.",
+)
 @click.argument(
     "input",
     nargs=-1,
     required=True,
     type=click.Path(exists=True, allow_dash=True, path_type=pathlib.Path),
 )
 def check(
-    input,
-    validation_config,
-    file_pattern,
-    fail_on_error,
-    fail_on_issues,
+    input, validation_config, file_pattern, fail_on_error, fail_on_issues, exclude
 ):
     """Check Sigma rules for validity and best practices (not yet implemented)."""
     if (
         validation_config is None
     ):  # no validation config provided, use basic config with all validators
-        rule_validator = SigmaValidator(validators.values())
+        if exclude:
+            click.echo(f"Ignoring these validators: {exclude}")
+        exclude_lower = [excluded.lower() for excluded in exclude]
+        validators_filtered = [
+            validator
+            for validator in validators.values()
+            if validator.__name__.lower() not in exclude_lower
+        ]
+        rule_validator = SigmaValidator(validators_filtered)
     else:
+        if exclude:
+            click.echo(
+                f"A configuration file and the `--exclude` parameter was set, ignoring the `--exclude` parameter."
+            )
         rule_validator = SigmaValidator.from_yaml(validation_config.read(), validators)
 
     try:

diff --git a/tests/files/issues/sigma_rule_with_bad_references.yml b/tests/files/issues/sigma_rule_with_bad_references.yml
@@ -0,0 +1,13 @@
+title: Test rule
+id: 5013332f-8a70-4e04-bcc1-06a911111111
+related:
+  - id: 5013332f-8a70-4e04-bcc1-06a911111112
+    type: Something
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    ParentImage|endswith: '\httpd.exe'
+    Image|endswith: '\cmd.exe'
+  condition: selection
diff --git a/tests/test_check.py b/tests/test_check.py
@@ -1,4 +1,5 @@
 from click.testing import CliRunner
+
 from sigma.cli.check import check
 
 
@@ -63,3 +64,18 @@ def test_check_fail_on_issues():
     result = cli.invoke(check, ["--fail-on-issues", "tests/files/issues"])
     assert result.exit_code == 1
     assert "Validation issue summary" in result.stdout
+
+
+def test_check_exclude():
+    cli = CliRunner()
+    result = cli.invoke(check, ["--fail-on-issues",
+                                "--exclude",
+                                "InvalidRelatedTypeValidator",
+                                "--exclude",
+                                "StatusExistenceValidator",
+                                "--exclude",
+                                "DateExistenceValidator",
+                                "tests/files/issues/sigma_rule_with_bad_references.yml"])
+    assert result.exit_code == 0
+    assert "Ignoring these validators" in result.stdout
+    assert "InvalidRelatedTypeValidator" in result.stdout