johnwunder
commented
6 years ago Given we can use MATCHES to do this, is it really necessary to add it to the other operators?
Open treyka opened 6 years ago
johnwunder
commented
6 years ago Given we can use MATCHES to do this, is it really necessary to add it to the other operators?
JasonKeirstead
commented
6 years ago Use case: Windows registry key names are not case sensitive.
Re above @johnwunder comment - yes we can do this using Regex, but it is cumbersome and painful to force people to do this all the time.
gtback
commented
6 years ago @JasonKeirstead: Do you see any reason this would be needed on operators besides =? Can we just add another operator (maybe ~) for case-insensitive equality matching? And maybe !~ if we also want to support case-insensitive not-equals?
JasonKeirstead
commented
6 years ago I would be fine with ~
ikiril01
commented
6 years ago The ~ approach seems to work well. However, we'd also need to support usage of this in any operators that can perform lexical evaluations, i.e., >, <, etc. So we'd get something like: process:name IN (~'proccy', ~'proximus', ~'badproc')
One edge case we'd have to determine is what do with the LIKE operator and case insensitive matching.
jordan2175
commented
5 years ago We talked about this on 2019-06-05 and agreed to push to 2.2
We should be clear about which operators this applies to. For example, MATCHES uses a regular expression, and you can express case-sensitivity there. We could also consider a new, special-purpose "= with case ignored" operator.
Also (surprise!) I'd like to wait until STIX 2.2 or later to address this.