search

bradleyjkemp / sigma-go

A Go implementation and parser for Sigma rules.
MIT License
84 stars 18 forks source link

RuleEvaluator matcher.Values doesn't handle "Attribute: null" #37

Open veramine opened 1 year ago

veramine commented 1 year ago

I hit an issue today with this rule:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml

Because one of the matchers is :

    filter_optional_null:
        Image: null

This matcher hits the 'default' case in this switch statement:

func (rule *RuleEvaluator) getMatcherValues(ctx context.Context, matcher sigma.FieldMatcher) ([]string, error) {
    matcherValues := []string{}
    for _, abstractValue := range matcher.Values {
        value := ""

        switch abstractValue := abstractValue.(type) {
        case string:
            value = abstractValue
        case int, float32, float64, bool:
            value = fmt.Sprintf("%v", abstractValue)
        default:
            return nil, fmt.Errorf("expected scalar field matching value got: %v (%T)", abstractValue, abstractValue)
        }

Here's my code:

            eventmap := match.Event
            ctx := ctx.Background()
            result, err := rule_evaluator.Matches(ctx, eventmap)
            if err != nil {
                fmt.Printf("** ERROR evaluating match with ID [%v], err %v\n", match.MatchId, err)
...

Here's what the error returned from rule_evaluator.Matches:

** ERROR evaluating match with ID [30], err error evaluating search filter_optional_null: expected scalar field matching value got: <nil> (<nil>)
veramine commented 1 year ago

I didn't hit this using sigma-go v0.5.0 or v0.4.2. But I do hit it consistently on v0.6.3. I will revert back to v0.5.0 for now.