[sigmac] [splunk] Unescaped . in query

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend

GNU Lesser General Public License v2.1

32 stars 19 forks source link

[sigmac] [splunk] Unescaped . in query #15

Open phantinuss opened 1 year ago

phantinuss commented 1 year ago

Hi,

I think .s should be escaped in Splunk searches.

I create a query:

sigmac -t splunk -c tools/config/splunk-windows.yml rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml
((((ParentCommandLine="*cmd*" ParentCommandLine="*/c*" CommandLine="*/../../*")) NOT (((CommandLine="*\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java*")))))

and paste it to Splunk and start the search and the dots are removed:

When I escape the dots with \ the query seems to be functional

phantinuss commented 1 year ago

Or maybe the / is the character which has to be escaped?

thomaspatzke commented 1 year ago

Just verified here, same behavior. Agreed, this must be fixed.

frack113 commented 1 year ago

Find this https://research.splunk.com/application/dfe55688-82ed-4d24-a21b-ed8f0e0fda99/ search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"

nasbench commented 1 year ago

There is no mention of the dot or forward slash as characters that need to be escaped in an SPL search query. See here

phantinuss commented 1 year ago

As you can see in the screenshot of the first post it is an issue, documented or not. And the solution to escape / will work at least in all the cases I tested. Adding an unneeded but valid escape shouldn't break things. And in some cases (see first screenshot) it is needed.

thomaspatzke commented 1 year ago

Seem to have disappeared in Splunk 9.x.