search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.74k stars 8.14k forks source link

[Security Solution][Detection Engine] ip_range value list exceptions may not be flagged as being exceptional #79516

Closed FrankHassanabad closed 3 years ago

FrankHassanabad commented 3 years ago

Related to https://github.com/elastic/kibana/issues/79511

Summary

Inspecting the code in x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts to determine whether or not Detection Engine would, for example, match a specific source.ip address 192.168.100.14 against (for example) an ip_range value list named cidr.txt with the following contents:

192.168.100.14/24

Using this CIDR to IPv4 Address Range utility, we can see the CIDR notation 192.168.100.14/24 translates to the range 192.168.100.0 to 192.168.100.255. Thus, at runtime, detection engine should flag a source.ip with a value of 192.168.100.14 as an exception because it falls within the range of 192.168.100.0 to 192.168.100.255.

Based on our analysis of x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts over zoom, it appears that the invocations of tuple.matchedSet.has(eventItem) in the following code:

            if (tuple.operator === 'included') {
              // only create a signal if the event is not in the value list
              if (eventItem != null) {
                return !tuple.matchedSet.has(eventItem);
              }
              return true;
            } else if (tuple.operator === 'excluded') {
              // only create a signal if the event is in the value list
              if (eventItem != null) {
                return tuple.matchedSet.has(eventItem);
              }

would fail (using our example) to match the IP address 192.168.100.14 against a CIDR range in an ip_range value list, because the has check in the code above is checking for set membership using exact-string matching. (The has check doesn't "understand" CIDR notation.)

Although CIDR notation was used in this example, if the ip_range value list expressed an IP range using the following notation (as an alternative to CIDR):

192.168.100.0-192.168.100.255

the has checks in the code above would still fail for the same reason: the has check is an exact match that doesn't understand the IP range notation above.

Next steps

The next steps for this issue are to validate (or invalidate) the hypothesis that the has checks in the above code will fail to mach ip_range value lists that specify entries using (both) CIDR and the alternative 192.168.100.0-192.168.100.255 style IP address ranges.

Desktop (please complete the following information):

elasticmachine commented 3 years ago

Pinging @elastic/siem (Team:SIEM)

elasticmachine commented 3 years ago

Pinging @elastic/kibana-security (Team:Security Solution)

peluja1012 commented 3 years ago

Fixed by this PR: https://github.com/elastic/kibana/pull/85191