pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard
verified publisher icon SigmaHQ

IPv6 address causes error in CIDR notation

Open nzedler opened this issue 1 year ago • 1 comments

When using IPv6 CIDR notation, the colons are not escaped, thus creating an ElasticSearch error:

Cannot parse query, cause: Encountered " ":" ": "" at line 1, column 237.
Was expecting one of:
    <BAREOPER> ...
    "(" ...
    "*" ...
    <QUOTED> ...
    <TERM> ...
    <PREFIXTERM> ...
    <WILDTERM> ...
    <REGEXPTERM> ...
    "[" ...
    "{" ...
    <NUMBER> ...

This happens with e.g. the following Sigma syntax:

dst_ip|cidr:
    - '::1/128'

which is translated to dst_ip:::1\/128 instead of dst_ip:\:\:1\/128

Sample sigma rule:

title: Search-ms and WebDAV Suspicious Indicators in URL
id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
status: experimental
description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
references:
    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023/08/21
modified: 2023/08/25
tags:
    - attack.initial_access
    - attack.t1584
    - attack.t1566
logsource:
    category: proxy
detection:
    selection_search_ms:
        c-uri|contains|all:
            - 'search' # Matches on search:query= or search-ms:query=
            - ':query='
            - 'webdav'
    selection_search_term:
        c-uri|contains:
            # Note: Add additional keywords for additional coverage
            - 'agreement'
            - 'invoice'
            - 'notice'
            - 'payment'
    filter_main_local_ips:
        dst_ip|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  ###### <- results in error
            - 'fe80::/10'  ###### <- results in error
            - 'fc00::/7'  ###### <- results in error
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

nzedler avatar Feb 26 '24 15:02 nzedler

Hello, the double colons are now correctly escaped after this MR, but single colons in CIDR are not escaped.

Example :

filter_main_local_ips:
        dst_ip|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  ###### <- escaped correctly
            - 'fe80::/10'  ###### <- escaped correctly
            - 'fc00::/7'  ###### <- escaped correctly
            - '2603:1080::/25'  ###### <- results in error

which is translated in dst_ip:2603:1080\:\:\/25 instead of dst_ip:2603\:1080\:\:\/25.

gregorywychowaniec-zt avatar Apr 26 '24 15:04 gregorywychowaniec-zt

I added some more connect tests to check also IPv6 addresses with cidr modifier. Tests ran fine today without ES errors.

If I'm wrong, please reopen.

andurin avatar Jun 20 '24 10:06 andurin