Sigma has a different set of rules than the Glob library for escaping, so this change attempts to
translate from Sigma escaping to gobwas/glob escaping. For the most part we don't touch much of the
escaped string; generally only when we see an unbalanced escaped backslash (ex. '\' in Sigma needs to
translated to '\\' for glob, '\\\' needs to translate to '\\\\', etc...).
Generally we only need to really watch for runs of backslashes by themselves, in the case where you see
a special character ('?' or '*') with an escape, any run of additional escapes should be valid by convention
(e.g. '\\*' per Sigma is an escaped backslash with a wildcard while '\\\*' is an escaped backslash and escaped
wildcard).
This commit addresses that need as prior to it we were matching imprecisely; rules like '\someStr' are a case where the glob library would drop the leading backslash and match 'someStr' rather than '\someStr', which is especially troublesome for contains modified rules ('\someStr' => 'someStr' => '*someStr*').
While addressing this, I also realized the glob-matching also does something special with curly { } and square [ ] brackets; since Sigma does not treat these specially and in fact, they can appear semi-frequently in rules as part of a comparison, we should auto-escape them otherwise globbing will try to treat them as a list or range (respectively) and may not match correctly.
I added a bunch of testing for this escaping functionality, so hopefully it won't cause any surprises anywhere; generally this should get us closer to more accurate matching.
Fix for https://github.com/markuskont/go-sigma-rule-engine/issues/13
Sigma has a different set of rules than the Glob library for escaping, so this change attempts to translate from Sigma escaping to gobwas/glob escaping. For the most part we don't touch much of the escaped string; generally only when we see an unbalanced escaped backslash (ex.
'\'
in Sigma needs to translated to'\\'
for glob,'\\\'
needs to translate to'\\\\'
, etc...).Generally we only need to really watch for runs of backslashes by themselves, in the case where you see a special character (
'?'
or'*'
) with an escape, any run of additional escapes should be valid by convention (e.g.'\\*'
per Sigma is an escaped backslash with a wildcard while'\\\*'
is an escaped backslash and escaped wildcard).This commit addresses that need as prior to it we were matching imprecisely; rules like
'\someStr'
are a case where the glob library would drop the leading backslash and match'someStr'
rather than'\someStr'
, which is especially troublesome forcontains
modified rules ('\someStr' => 'someStr' => '*someStr*'
).While addressing this, I also realized the glob-matching also does something special with curly
{ }
and square[ ]
brackets; since Sigma does not treat these specially and in fact, they can appear semi-frequently in rules as part of a comparison, we should auto-escape them otherwise globbing will try to treat them as a list or range (respectively) and may not match correctly.I added a bunch of testing for this escaping functionality, so hopefully it won't cause any surprises anywhere; generally this should get us closer to more accurate matching.