search

SigmaHQ / pySigma-backend-elasticsearch

pySigma Elasticsearch backend
GNU Lesser General Public License v3.0
42 stars 24 forks source link

Converting sigma rule to elasticsearch, double quotation marks are inserted twice. #29

Closed KSHMK closed 2 months ago

KSHMK commented 1 year ago

hello.

I am working on converting sigma rule to elasticsearch dsl_lucene.

A strange error occurred in the rule below, and I wonder if the cause was an incorrect rule writing or an unintentional bug.

The rules are below.

title: Potential CVE-2023-2283 Exploitation
id: 8b244735-5833-4517-a45b-28d8c63924c0
status: experimental
description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
references:
    - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
    - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2283
    - https://www.blumira.com/cve-2023-2283/
    - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
author: Florian Roth (Nextron Systems)
date: 2023/06/09
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.2283
    - detection.emerging_threats
logsource:
    product: linux
    service: sshd
detection:
    keywords:
        - 'Failed to generate curve25519 keys'
    condition: keywords
falsepositives:
    - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
level: medium

In my opinion, the rule should be converted to:

"\"Failed\\ to\\ generate\\ curve25519\\ keys\""

But in LuceneBackend

"\"\"Failed\\ to\\ generate\\ curve25519\\ keys\"\""

This converts the double quotes into double quotes.

Therefore, the problem occurred that elasticsearch searches by each word rather than by searching the string.

I debugged the cause

https://github.com/SigmaHQ/pySigma/blob/main/sigma/conversion/base.py#L927 In this line, code wrapped the double quotes once in

https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/backends/elasticsearch/elasticsearch.py#L125 https://github.com/SigmaHQ/pySigma/blob/main/sigma/conversion/base.py#L1193 Lastly, code was finally wrapped with a double quotes here.

Not sure if this is intended, or if writing the sigma rule like that is deprecated.

zmlilo commented 8 months ago

Hi

It seems that the error occurs when there is no field:value pair in the given line, only one "value" is present.