Comments (10)
@thomaspatzke thanks for the clarification and background on the history of the feature
Rule writers seem to like it and a goal of Sigma is to make rule-writing convenient, so I think it's better to live with this beast 😉
💯 at the end of the day real-world usage is what we're here for
Your Python solution's neat. I think the same technique will work for sigma-go
too
from sigma-go.
Hi @bradleyjkemp! I'm one of the Sigma maintainers, initiated pySigma/sigmatools and want to clarify this.
Unfortunately, the Sigma specification is indeed inconsistent regarding this feature, the list section only specifies the usage of strings while the section about maps defines the expected behavior:
Lists of maps are joined with a logical 'OR'. All elements of a map are joined with a logical 'AND'.
Sorry for the confusion! I will fix the spec.
The implementation in pySigma was a bit tricky. I solved this as follows:
- A SigmaDetection object represents a detection definition or a map.
- A SigmaDetectionItem object represent a key-value-item in a map or a plain value.
- The list of detection_items in the SigmaDetection class can contain SigmaDetectionItem as well as SigmaDetection objects. Latter is used for list of maps.
- Obviously, both cases must be considered everywhere where detection_items are touched.
Perhaps this helps a bit to implement this in sigma-go.
By the way, I personally don't really like this feature because it adds some complexity to each Sigma implementation. I had the deep desire to drop this completely while writing pySigma and sometimes before. But as @veramine pointed out, the usage is quite prevalent. Rule writers seem to like it and a goal of Sigma is to make rule-writing convenient, so I think it's better to live with this beast 😉 And sometimes it was also useful for implementation of features.
from sigma-go.
You're the BEST! Thanks so much!!! ❤️
from sigma-go.
Error I think is coming from here: https://github.com/bradleyjkemp/sigma-go/blob/main/rule_parser.go#L88
from sigma-go.
Thanks for raising this, this is a very interesting case!
According to the text specification, a detection can either be:
- A list of string keywords
- A map of filednames to values
This is backed up by the yaml schema:
detection:
// ... omitted for brevity
rest:
type: //any
of:
- type: //arr
contents: //str
- type: //map
values:
type: //any
of:
- type: //str
- type: //arr
contents: //str
length:
min: 2
However, it's reasonable to argue that sigmac
should be the source of truth for what's a valid rule, not the text specification 🙂
Unfortunately, I'm not sure how easily this could be supported in sigma-go
. I'm also unsure it's a good feature to support. Your example can trivially be rewritten as:
baddetect:
CommandLine|contains:
- 'apple'
- 'banana'
And more complex examples can be split out into e.g.
baddetect-1:
CommandLine|contains: 'apple'
baddetect-2:
CommandLine|contains: 'banana'
with a condition using (any of baddetect-*)
So for now, I'm inclined to intentionally not support this case (unless in future we find a compelling example where a list of maps really is the best way to write a rule)?
from sigma-go.
Hey @bradleyjkemp, no worries, it's your library, and I do agree with your points. From my perspective I view any rules in the official Sigma repo (that are there on purpose and not accedentily broken, etc.) as the source of truth for both how people should/will write Sigma rules, and how people should/will want to consume them.
But I agree there are straightforward workarounds, and I'm only using your (awesome) library in a personal project, so feel free to close this issue :-)
from sigma-go.
Hey @bradleyjkemp, I've started evaluating your library in an attempt to add sigma search capability to our collection of collected endpoint data. It works great for sample data but I ran into this same issue when testing against real-world sigma rules. This format of detection specification via list of maps seems quite common. Here were the first 50 examples I found where the rules could not be parsed due to this issue. There are hundreds or thousands more from the published sigma rule repo. Any chance we can put in a vote to enable this support? I'd be happy to take a crack at implementing it myself if you are open to supporting it. Thanks!
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_anydesk.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_clip.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_curl_download.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dinjector.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_logmein.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
from sigma-go.
🤔 @veramine would you mind opening a PR in the main Sigma repo to clarify what the semantics are for this?
I assume the conditions would be OR-ed together but I'm not keen to implement this until it's actually in the spec (better to be incomplete than incompatible)
from sigma-go.
Yep, I'll report back here when spec is clarified, thanks!
from sigma-go.
Just updated the spec, please check if this is now described clearer.
from sigma-go.
Related Issues (15)
- Gracefully handle rules containing invalid search conditions HOT 1
- Add support for the `cidr` modifier HOT 1
- Return the specific matching event values that triggered each condition
- Segfault when matching detection with a % symbol HOT 2
- Error parsing "related" with a map of id and type
- invalid token '*' in certain condition strings HOT 1
- Improved Comparator and Modifier Handling HOT 3
- Condition|endswith is not matching case insensitive HOT 1
- Rules fail to evaluate when there are multiple mappings for the same field
- [IDEA] Type-Aware Rule Parsing HOT 2
- RuleEvaluator matcher.Values doesn't handle "Attribute: null" HOT 1
- README.md refers to a sigmac tool but this had been removed. HOT 3
- RuleEvaluator crashes when comparing numeric values HOT 2
- Update README with the new `Match()` signature
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sigma-go.