Closed nzedler closed 3 months ago
Hello, the double colons are now correctly escaped after this MR, but single colons in CIDR are not escaped.
Example :
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' ###### <- escaped correctly
- 'fe80::/10' ###### <- escaped correctly
- 'fc00::/7' ###### <- escaped correctly
- '2603:1080::/25' ###### <- results in error
which is translated in dst_ip:2603:1080\:\:\/25
instead of dst_ip:2603\:1080\:\:\/25
.
I added some more connect tests to check also IPv6 addresses with cidr modifier. Tests ran fine today without ES errors.
If I'm wrong, please reopen.
When using IPv6 CIDR notation, the colons are not escaped, thus creating an ElasticSearch error:
This happens with e.g. the following Sigma syntax:
which is translated to
dst_ip:::1\/128
instead ofdst_ip:\:\:1\/128
Sample sigma rule: