Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lucene Rule Generation Quotation Mark Issue #36

Closed
LucaKuechler opened this issue Nov 2, 2023 · 3 comments
Closed

Lucene Rule Generation Quotation Mark Issue #36

LucaKuechler opened this issue Nov 2, 2023 · 3 comments
Assignees
@andurin

Comments

@LucaKuechler
Copy link

Lucene Rule Generation Quotation Mark Issue

When a selection item contains a blank space, the Lucene rule will be
surrounded by quotation marks, which seems like an invalid syntax.

Description

I tried converting this rule by using the command below:

title: Xmrig
status: experimental
description: Detect Xmrig
references:
  - https://google.com
author: unknown
date: 2023/08/16
modified: 2023/08/16
tags:
  - attack.placeholder
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'cn/half --cpu-priority'
      - '--cpu-priority 1'
  condition: selection
level: critical
sigma convert -t lucene -p ecs_windows rule.yml

The generated rule looked like this:

process.command_line:("*cn\/half\ \-\-cpu\-priority*" OR "*\-\-cpu\-priority\ 1*")

My expectation would be to not have those quotation marks. It should look like:

process.command_line:(*cn\/half\ \-\-cpu\-priority* OR *\-\-cpu\-priority\ 1*)

I tested both versions inside my local Elasticsearch instance and the one with quotation mark didn't show any results. This is due to the nature of Lucene query language, which interprets the quotation marks as normal character. This behavior is also mentioned inside their documentation.

Environment

  • Elasticsearch Version: 8
  • pySigma-backend-elasticsearch Version: 1.0.9
  • Python Version: 3.10

Possible Fix

  • When I change the variable str_quote: ClassVar[str] = '"' to str_quote: ClassVar[str] = '' then it works. But not sure if it breaks other things.
@Securityinbits
Copy link

This one similar to this issue #28

@Koen1999 Koen1999 mentioned this issue Jan 26, 2024
Merged
@Koen1999
Copy link
Contributor

Possible Fix

* When I change the variable ` str_quote: ClassVar[str] = '"'` to ` str_quote: ClassVar[str] = ''`  then it works. But not sure if it breaks other things.

I can confirm this would break at least one thing. Specifically, matching against the empty string would result in a malformed Lucene query. (field:)
Please check out PR #43 for a different solution that mitigates this problem.

@andurin
Copy link
Collaborator

andurin commented Jan 29, 2024

Result after #43:

$ sigma convert -t lucene -p ecs_windows rule.yml
process.command_line.keyword:(*cn\/half\ \-\-cpu\-priority* OR *\-\-cpu\-priority\ 1*)

As long as your index-mapping owns the command_line.keyword - the query looks good to me.

@andurin andurin self-assigned this Jan 29, 2024
@andurin andurin closed this as completed Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andurin andurin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andurin @Koen1999 @Securityinbits @LucaKuechler