I am working on converting sigma rule to elasticsearch dsl_lucene.
A strange error occurred in the rule below, and I wonder if the cause was an incorrect rule writing or an unintentional bug.
The rules are below.
title: Potential CVE-2023-2283 Exploitation
id: 8b244735-5833-4517-a45b-28d8c63924c0
status: experimental
description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
references:
- https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
- https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
- https://nvd.nist.gov/vuln/detail/CVE-2023-2283
- https://www.blumira.com/cve-2023-2283/
- https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
author: Florian Roth (Nextron Systems)
date: 2023/06/09
tags:
- attack.initial_access
- attack.t1190
- cve.2023.2283
- detection.emerging_threats
logsource:
product: linux
service: sshd
detection:
keywords:
- 'Failed to generate curve25519 keys'
condition: keywords
falsepositives:
- Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
level: medium
hello.
I am working on converting sigma rule to elasticsearch dsl_lucene.
A strange error occurred in the rule below, and I wonder if the cause was an incorrect rule writing or an unintentional bug.
The rules are below.
In my opinion, the rule should be converted to:
But in LuceneBackend
This converts the double quotes into double quotes.
Therefore, the problem occurred that elasticsearch searches by each word rather than by searching the string.
I debugged the cause
https://github.com/SigmaHQ/pySigma/blob/main/sigma/conversion/base.py#L927 In this line, code wrapped the double quotes once in
https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/backends/elasticsearch/elasticsearch.py#L125 https://github.com/SigmaHQ/pySigma/blob/main/sigma/conversion/base.py#L1193 Lastly, code was finally wrapped with a double quotes here.
Not sure if this is intended, or if writing the sigma rule like that is deprecated.