sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Regular Expression matching

Open maederm opened this issue 3 years ago • 3 comments

Hi

How does sigma expect regex to be applied to fields? Does the regex need to apply to the whole field? I couldn't find a definition in the spec.

Take for example rules/windows/process_creation/win_regini.yml

        CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule

If I translate that with sigmac I'll get a query string that requries a full match on the field.

$ tools/sigmac  rules/windows/process_creation/win_regini_ads.yml -c winlogbeat-modules-enabled -t es-qs
(process.executable.keyword:*\\regini.exe AND process.command_line.keyword:/:[^ \\]/)

I propose to define that behavior in the sigma specification and thought of these two possibilities:

Solution A: Sigma Spec defines partial match

If only a partial match is required I can try to make a pull request that would translate it to (process.executable.keyword:*\\regini.exe AND process.command_line.keyword:/.*:[^ \\].*/)

Solution B: Sigma Spec defines full match

If a full field match is required I could make a pull request to rewrite the rule to

        CommandLine|re: '.*:[^ \\].*' # to avoid intersection with ADS rule

Best Regards, maederm

maederm avatar Jun 17 '21 14:06 maederm

Hi, The modifier re check if it is a valid regex and give it to the backend. Not every backend can handle regex. Some have they way to deal with regex :

A way can be to have 2 modifiers:

  • |re (no change)
  • |re_in ( backend add .* or what it is need to work)

frack113 avatar Jul 03 '21 07:07 frack113

A way can be to have 2 modifiers:

* |re       (no change)

* |re_in   ( backend add `.*` or what it is need to work)

@frack113: If I understand you correctly this means the spec should be updated to say that |re must match the whole field, right?

maederm avatar Jul 05 '21 07:07 maederm

currently it is the backend that manages the regex. So the way es-qs manages it is a full match because elactic is fullmatch. Test in Kibana

  • Event.Image:/.*\.exe/ OK
  • Event.Image:/.*\.exe$/ NOK
  • Event.Image:/\.exe/ NOK

My proposal is to clarify this point. So the author specifies in the search his regex is full or partial ,but the backend still has to handle it ... in my mind re_in is like contains perhaps more re_contains

frack113 avatar Jul 05 '21 08:07 frack113