Lists combined with "all of" parsing in unexpected way

SigmaHQ / pySigma

Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)

GNU Lesser General Public License v2.1

403 stars 103 forks source link

Lists combined with "all of" parsing in unexpected way #97

Closed kelnage closed 1 year ago

kelnage commented 1 year ago

Some recently added rules to the sigma repository are behaving differently depending on whether they were converted with sigma-cli/pySigma or uncoder.io/sigmac. An example is Juniper BGP Missing MD5.

The rule uses a list of keyword values, which it attempts to combine with an "all of" condition. I believe the intent of this rule is to find entries that contain both the keywords ":179" and "missing MD5 digest" - which is exactly what uncoder.io produces (using, I believe, sigmac) - but when sigma-cli is used, the parse tree basically ignores the "all of" and produces ":179" or "missing MD5 digest".

I can't really decide if this is an issue with the rules in question, sigmac or pySigma - but I thought I'd put it here! Based on my interpretation of the sigma-specification, I would judge that pySigma is behaving as expected - but others may disagree.

frack113 commented 1 year ago

In the specification for list : "strings that are applied to the full log message and are linked with a logical 'OR'." for all : "Normally, lists of values were linked with OR in the generated query. This modifier changes this to AND"

So all of keywords is a list of string linked with an AND, but I recognize that it's quite a trick.

kelnage commented 1 year ago

Oh, yeah - no, then it's an issue with the rule(s), not pySigma. The all you mention there is the modifier, not the all of condition. I think the desired detection is probably:

detection:
    selector:
        '|all':
            - ':179' # Protocol
            - 'missing MD5 digest'
    condition: selector

Note that for all of, the specification is quite clear:

The search identifiers themselves are logically linked with their default behaviour for maps (AND) and lists (OR).

It is unfortunate that sigmac and sigma have diverged in this way - hopefully there aren't too many other rules that are caught by such an issue.

frack113 commented 1 year ago

My bad, I take the wrong line.

In condition , all of is an AND. modifier and condition use the same logic : all convert the OR logic in an AND.

all of keywords is an edge case where you have no field name (can not use modifier), and you want all the string of a list.

https://github.com/SigmaHQ/sigma-specification/discussions/53#discussioncomment-4672911

kelnage commented 1 year ago

I updated all of the Sigma signatures to the new syntax in sigmaHQ/sigma#3952 - going forward, we may want to warn users if their rule includes an 'all of' for a single selector that it may not produce the queries they expect.