search

bradleyjkemp / sigma-go

A Go implementation and parser for Sigma rules.
MIT License
84 stars 18 forks source link

Segfault when matching detection with a % symbol #17

Open veramine opened 2 years ago

veramine commented 2 years ago

I'm using sigma-go along with the public Sigma process_creation rules and found several that segfault like this:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1025aca1c]

goroutine 1 [running]:
github.com/bradleyjkemp/sigma-go/evaluator.(*RuleEvaluator).getMatcherValues(0x140001ed3f8, {0x102639b78, 0x14000116000}, {{0x1400012c318, 0xb}, {0x1400013bf30, 0x1, 0x1}, {0x1400013bf40, 0x2, ...}})
    /Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/sigma-go@v0.3.4/evaluator/evaluate_search.go:141 +0x1fc
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.evaluateSearch({{{0x1400012c2e8, 0x13}, {{0x14000117760, 0x10}, {0x14000117740, 0x7}, {0x0, 0x0}, {0x0, 0x0}}, ...}, ...}, ...)
    /Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/sigma-go@v0.3.4/evaluator/evaluate_search.go:121 +0x184
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.Matches({{{0x1400012c2e8, 0x13}, {{0x14000117760, 0x10}, {0x14000117740, 0x7}, {0x0, 0x0}, {0x0, 0x0}}, ...}, ...}, ...)
    /Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/sigma-go@v0.3.4/evaluator/evaluate.go:102 +0x148
main.main()
    /Users/jness/v/onprem/src/veramine.com/cmd/util/sigmatest/main.go:105 +0x4f8

These two rules in particular:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml

Notice that both these rules are looking for fields with a %. When I remove those %s, it no longer segfaults. 

    CommandLine|contains:
      - '\System32\'
      - '%System%'
        CommandLine|contains: 
            - 'C:\Users\Public\'
            - '%public%'
            - '\Desktop\'
bradleyjkemp commented 2 years ago

Ah excellent timing, I think https://github.com/bradleyjkemp/sigma-go/commit/5321737c16094b41006889dd51bb40a6209651d9 actually fixes this (or at least downgrades it to an error)

The underlying cause is sigma-go thinking %public% is a placeholder (which I think it is?) but not having any way to expand that.

Better default behaviour might be to just assume all placeholders are empty but for know you can do this yourself using the WithPlaceholderExpander option: https://github.com/bradleyjkemp/sigma-go/blob/5321737c16094b41006889dd51bb40a6209651d9/evaluator/options.go#L29

veramine commented 2 years ago

Yep that worked fine, thanks!

    //r := evaluator.ForRule(rule, evaluator.WithConfig(config))
    r := evaluator.ForRule(rule, evaluator.WithConfig(config), evaluator.WithPlaceholderExpander(func(ctx context.Context, placeholderName string) ([]string, error) {
        return nil, nil
    }))