search

SigmaHQ / pySigma-backend-crowdstrike

SigmaHQ pySigma CrowdStrike processing pipeline
GNU Lesser General Public License v2.1
18 stars 11 forks source link

Unix paths are not properly escaped #11

Closed xavigu42 closed 3 days ago

xavigu42 commented 3 weeks ago

Hi guys,

We noticed that the unix path is not properly escaped in the regular expresions

sample rule

  noise:
    Image|re:
      - '^\/usr\/bin\/perl'
    Image|endswith:
      - '/perl'
    Image|startswith:
      - '/usr/bin/perl'
    Image|contains:
      - '/perl'
  condition: not noise

endswith

Current output

 ImageFileName=//perl$/i

Should be

 ImageFileName=/\/perl$/i

startswith

Current output

ImageFileName=/^/usr/bin/perl/i

Should be

ImageFileName=/^\/usr\/bin\/perl/i
moullos commented 3 days ago

Thanks @xavigu42

Should be fixed now.