Inspecting the code in x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts to determine whether or not Detection Engine would, for example, match a specific source.ip address 192.168.100.14 against (for example) an ip_range value list named cidr.txt with the following contents:
192.168.100.14/24
Using this CIDR to IPv4 Address Range utility, we can see the CIDR notation 192.168.100.14/24 translates to the range 192.168.100.0 to 192.168.100.255. Thus, at runtime, detection engine should flag a source.ip with a value of 192.168.100.14 as an exception because it falls within the range of 192.168.100.0 to 192.168.100.255.
Based on our analysis of x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts over zoom, it appears that the invocations of tuple.matchedSet.has(eventItem) in the following code:
if (tuple.operator === 'included') {
// only create a signal if the event is not in the value list
if (eventItem != null) {
return !tuple.matchedSet.has(eventItem);
}
return true;
} else if (tuple.operator === 'excluded') {
// only create a signal if the event is in the value list
if (eventItem != null) {
return tuple.matchedSet.has(eventItem);
}
would fail (using our example) to match the IP address 192.168.100.14 against a CIDR range in an ip_range value list, because the has check in the code above is checking for set membership using exact-string matching. (The has check doesn't "understand" CIDR notation.)
Although CIDR notation was used in this example, if the ip_range value list expressed an IP range using the following notation (as an alternative to CIDR):
192.168.100.0-192.168.100.255
the has checks in the code above would still fail for the same reason: the has check is an exact match that doesn't understand the IP range notation above.
Next steps
The next steps for this issue are to validate (or invalidate) the hypothesis that the has checks in the above code will fail to mach ip_range value lists that specify entries using (both) CIDR and the alternative 192.168.100.0-192.168.100.255 style IP address ranges.
Desktop (please complete the following information):
Related to https://github.com/elastic/kibana/issues/79511
Summary
Inspecting the code in
x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts
to determine whether or not Detection Engine would, for example, match a specificsource.ip
address192.168.100.14
against (for example) anip_range
value list namedcidr.txt
with the following contents:Using this CIDR to IPv4 Address Range utility, we can see the CIDR notation
192.168.100.14/24
translates to the range192.168.100.0
to192.168.100.255
. Thus, at runtime, detection engine should flag asource.ip
with a value of192.168.100.14
as an exception because it falls within the range of192.168.100.0
to192.168.100.255
.Based on our analysis of
x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts
over zoom, it appears that the invocations oftuple.matchedSet.has(eventItem)
in the following code:would fail (using our example) to match the IP address
192.168.100.14
against a CIDR range in anip_range
value list, because thehas
check in the code above is checking for set membership using exact-string matching. (Thehas
check doesn't "understand" CIDR notation.)Although CIDR notation was used in this example, if the
ip_range
value list expressed an IP range using the following notation (as an alternative to CIDR):the
has
checks in the code above would still fail for the same reason: thehas
check is an exact match that doesn't understand the IP range notation above.Next steps
The next steps for this issue are to validate (or invalidate) the hypothesis that the
has
checks in the above code will fail to machip_range
value lists that specify entries using (both) CIDR and the alternative192.168.100.0-192.168.100.255
style IP address ranges.Desktop (please complete the following information):
7.9.1