pySigma-backend-splunk icon indicating copy to clipboard operation
pySigma-backend-splunk copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

[sigmac] [splunk] Unescaped . in query

Open phantinuss opened this issue 3 years ago • 6 comments

Hi,

I think .s should be escaped in Splunk searches.

I create a query:

sigmac -t splunk -c tools/config/splunk-windows.yml rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml
((((ParentCommandLine="*cmd*" ParentCommandLine="*/c*" CommandLine="*/../../*")) NOT (((CommandLine="*\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java*")))))

and paste it to Splunk and start the search and the dots are removed: image

When I escape the dots with \ the query seems to be functional

phantinuss avatar Sep 30 '22 08:09 phantinuss

Or maybe the / is the character which has to be escaped?

phantinuss avatar Sep 30 '22 08:09 phantinuss

Just verified here, same behavior. Agreed, this must be fixed.

thomaspatzke avatar Sep 30 '22 08:09 thomaspatzke

Find this https://research.splunk.com/application/dfe55688-82ed-4d24-a21b-ed8f0e0fda99/ search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"

frack113 avatar Oct 01 '22 14:10 frack113

There is no mention of the dot or forward slash as characters that need to be escaped in an SPL search query. See here

image

nasbench avatar Dec 31 '22 19:12 nasbench

As you can see in the screenshot of the first post it is an issue, documented or not. And the solution to escape / will work at least in all the cases I tested. Adding an unneeded but valid escape shouldn't break things. And in some cases (see first screenshot) it is needed.

phantinuss avatar Jan 09 '23 09:01 phantinuss

Seem to have disappeared in Splunk 9.x.

thomaspatzke avatar Jan 18 '23 13:01 thomaspatzke