-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escaping of chars in rule supplied regular expressions #2409
Comments
Hello, |
Unfortunately, this would only shift the problem towards the querystring backend. The problematic rules from my post above would indeed work, but those rules that have an escape character in place, e.g. a (additional downside is that one would also lose the aggregation feature) |
I'd say the I'm no fan of these regex rules neither. |
Hello! I've got an issue with a couple of rules and wanted to get an opinion on whether these are bugs in the rules, needs improvement in the backend, or in general what your advice may be how to deal with it.
My problem is that some rules provide pre-supplied regular expressions in
field|re
conditions that - when generated with the Elastic DSL backend - throw errors on the Elastic side. The source of the issue seems to be the escaping of characters that may be valid characters to be used in a regular expression, but are reserved special characters in a DSL and thus would need escaping.I have found a few rules in which this poses a problem. For example:
sigma/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml
Line 25 in a502f31
This rule's regex has two problems: The
{
and the"
towards the end of the string. Both trigger an error when parsed in an elastic query.The question now is: Is this a bug in the rule, and the escaping should be done in the rule? Or, should this be done in the respective backend? I think one would favor the second option since each backend can have different reserved, DSL specific characters. So regex escaping should be in the rule, and the backend should apply the escaping of the backend specific chars.
I'm just openly asking what is preferred because I've found multiple rules that do indeed escape such characters, for example, the following one contains the escaped
\"
at the end of the string.sigma/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml
Line 25 in a502f31
(This rule by the way has another issue that triggers an ES error: the
|
in position 28 of the regex should either be escaped to serve as literal, or have an option followed after it)Here is a list of rules that I found are affected by the escaping issue:
Note: I've only checked the windows rules
The text was updated successfully, but these errors were encountered: