What is the bug?
Sigma rules with "keywords" as a field under detection section generate broken queries where the field being queried is an index number (0, 1, 2 and so on)
Example:
Possible CVE-2021-1675 Print Spooler Exploitation (A prepackaged rule) has this Sigma Detection field:
The query is then translated to this:
((((winlog.event_id: 808) OR (winlog.event_id: 4909)) AND ((winlog.event_data.ErrorCode: "0x45A") OR (winlog.event_data.ErrorCode: "0x7e"))) OR ((_21: "The_ws_print_ws_spooler_ws_failed_ws_to_ws_load_ws_a_ws_plug\-in_ws_module") OR (_22: "MyExploit.dll") OR (_23: "evil.dll") OR (_24: "\\addCube.dll") OR (_25: "\\rev.dll") OR (_26: "\\rev2.dll") OR (_27: "\\main64.dll") OR (_28: "\\mimilib.dll") OR (_29: "\\mimispool.dll"))) AND ((NOT _30: "_ws_registration_ws_timed_ws_out"))
Where the fields from keyword are incremental numbers preceded by _ (This bug happens for multiple rules, I am pulling just one out of sequence here)
The same bug happens when you duplicate this standard rule with slightly different results.
The YAML for the rule after duplication is changed to this:
Which is reflected in GUI like this:
This also occurs when you upload a rule via the custom rule API.
How can one reproduce the bug?
Steps to reproduce the behavior:
- Go to security analytics > detectors > detection rules
- Find CVE-2021-1675 Print Spooler Exploitation
- Duplicate Rule
- View error in both GUI and YAML Editor. You can also view the created broken query by searching for the rule:
POST /_plugins/_security_analytics/rules/_search?pre_packaged=true
What is the expected behavior?
Sigma rules with the keywords field under detection section to be properly translated to a query that can be used by the Security Analytics plugin.
What is your host/environment?
- OS 2.11 fresh install running security analytics plugin
Thanks,
Jay
What is the bug?
Sigma rules with "keywords" as a field under detection section generate broken queries where the field being queried is an index number (0, 1, 2 and so on)
Example:
Possible CVE-2021-1675 Print Spooler Exploitation (A prepackaged rule) has this Sigma Detection field:
The query is then translated to this:
((((winlog.event_id: 808) OR (winlog.event_id: 4909)) AND ((winlog.event_data.ErrorCode: "0x45A") OR (winlog.event_data.ErrorCode: "0x7e"))) OR ((_21: "The_ws_print_ws_spooler_ws_failed_ws_to_ws_load_ws_a_ws_plug\-in_ws_module") OR (_22: "MyExploit.dll") OR (_23: "evil.dll") OR (_24: "\\addCube.dll") OR (_25: "\\rev.dll") OR (_26: "\\rev2.dll") OR (_27: "\\main64.dll") OR (_28: "\\mimilib.dll") OR (_29: "\\mimispool.dll"))) AND ((NOT _30: "_ws_registration_ws_timed_ws_out"))Where the fields from keyword are incremental numbers preceded by _ (This bug happens for multiple rules, I am pulling just one out of sequence here)
The same bug happens when you duplicate this standard rule with slightly different results.
The YAML for the rule after duplication is changed to this:
Which is reflected in GUI like this:
This also occurs when you upload a rule via the custom rule API.
How can one reproduce the bug?
Steps to reproduce the behavior:
POST /_plugins/_security_analytics/rules/_search?pre_packaged=true
What is the expected behavior?
Sigma rules with the keywords field under detection section to be properly translated to a query that can be used by the Security Analytics plugin.
What is your host/environment?
Thanks,
Jay