search

SigmaHQ / pySigma

Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)
GNU Lesser General Public License v2.1
395 stars 101 forks source link

Sigma accepting malformed yaml in SigmaDetectionItem fields #225

Closed twpZero closed 4 months ago

twpZero commented 5 months ago

According to https://yaml.org/spec/1.2.2/ : "colons separate key/value pairs"

However SigmaDetectionItem.from_mapping currently allows field to contain ':' . Currently, SigmaDetectionItem.field allows keys such as field:modifier: without raising any errors.

Remark: ':' can also be a reserved char for some backends that work with key:value syntax. That would be increasing the chance of errors in backend despite Sigma Validation.

-> The proposed solution simply check if field contains ':' and raise SigmaDetectionError.

Please feel free to accept merge request #224 or to implement your own checks.

thomaspatzke commented 4 months ago

Colons are allowed in YAML keys if the key is quoted.