search

markuskont / go-sigma-rule-engine

Golang library that implements a sigma log rule parser and match engine.
Apache License 2.0
87 stars 17 forks source link

Strings in Sigma are case-insensitive #27

Open helpless-contrib opened 1 year ago

helpless-contrib commented 1 year ago

As the spec state, all values are meant to be treated as case-insensitive strings.

When using a contains selection, the pattern is passed to the glob module, which is case-sensitive. As a result it becomes super easy to evade detection, for example:

selection:
   - stuff|contains:
      - '*wmic*shadowcopy*delete'

will not match the string WMic ShAdOwCoPy DELete

I am no golang dev but i suggest either moving away from the glob module to case-insensitive regex or pre-process the pattern with something like this.

newodahs commented 1 month ago

I made a fix for this, though I think it may still have issue in the keyword code; was just hacking through quickly so I didn't spend much time; if it's also an issue there it should be a simple update.

One thing to note, we use the gobwas/glob library and not the builtin golang stuff as the latter does not support everything sigma does; also it should be noted that while regex has gotten better in golang, it still lags in performance generally, especially compare to the builtin comparisons so we should watch that carefully.