Closed YamatoSecurity closed 6 months ago
@fukusuket Until we can support this in Hayabusa directly, do you think we can support this by updating the converter by adding the variant where - characters are replaced with /?
It seems possible, so I'll check it out!💪
@hitenkoku Could I ask you to look into how to support the |contains|windash
modifier in Hayabusa?
@YamatoSecurity Sorry for late reply. I will check it.
@hitenkoku Thanks so much! No hurry so whenever you have free time is completely fine!
Note: There are also rules that use a |contains|all|windash
modifier. We can create a different issue for this.
There are now 56 sigma rules that use the pipe modifier
|contains|windash
.Example:
From the sigma specification:
Add a new variant where all - occurrences are replaced with /. The original variant is also kept unchanged.
From my understanding, this should be the same as the following rule:
where
CommandLine
has to contain the string-addstore
OR/addstore
@fukusuket Until we can support this in Hayabusa directly, do you think we can support this by updating the converter by adding the variant where
-
characters are replaced with/
? This would also allow users with older versions of Hayabusa to use these rules.If this is difficult to do, we could temporarily just delete the
|windash
portion and search for the original-addstore
string. (Ex:CommandLine|contains|windash: '-addstore'
->CommandLine|contains: '-addstore'
) It could be bypassed by an attacker changing-
to/
but is better to have these rules partially usable until we can fully support it.