search

bradleyjkemp / sigma-go

A Go implementation and parser for Sigma rules.
MIT License
84 stars 18 forks source link

RuleEvaluator crashes when comparing numeric values #42

Closed 262nos closed 7 months ago

262nos commented 7 months ago

Hello! Amazing project and I appreciate your work.

Unfortunately, I encountered a couple of problems while attempting to use the project for a detection engine.

Given the following Sigma Rule:

title: Test Sigma Rule
id: 123
status: experimental
description: Crash the evaluator
date: 2024/03/27
detection:
  cond1:
    - receivedByte|gte: 0
  cond2:
    - deviceAddress|gte: 172.16.0.0
  condition: cond1 and cond2
level: low

and event:

{
  "receivedBytes": 25,
  "deviceAddress": "172.16.2.2"
}

the RuleEvaluator crashes the program in two ways:

  1. if it does not find the receivedByte in the map[string]interface{} event, and passes to coerceNumeric a nil interface, which generates a panic.
  2. if the rule contains a modifier that forces the use of the coerceNumeric and the value of the key is a string that can not be transformed to a float64 or int by yaml.Unmarshal(like an IP address), the coerceNumeric function recurses itself until a stack overflow.

I understand that writing a corect rule is paramount, but sometimes it can not be helped that the user makes a typo.

I can submit a pull request with the required fixes, if it helps.

bradleyjkemp commented 7 months ago

Great spot! Yeah this definitely shouldn't panic/crash. Had a go at fixing this too, but it turned out pretty much identical to your solution so I'm happy to approve a PR from your branch if you'd like?

262nos commented 7 months ago

Sure thing. I'll submit a pull request. Thanks for the quick update.