Closed pcoccoli closed 1 year ago
Looks like the escaping still have an issue.
The data in the store is C:\Windows\system32\svchost.exe ...
Query to our elasticsearch instance using the stix-shifter command line utility (bash escaped):
[process:command_line MATCHES '.*system32\\\\\\\\svchost.exe.*'] START t'2021-10-20T00:00:00Z' STOP t'2021-10-21T00:00:00Z'
[process:command_line MATCHES '.*system32\\\\\\svchost.exe.*'] START t'2021-10-20T00:00:00Z' STOP t'2021-10-21T00:00:00Z'
[process:command_line MATCHES '.*system32\\\\svchost.exe.*'] START t'2021-10-20T00:00:00Z' STOP t'2021-10-21T00:00:00Z'
[process:command_line MATCHES '.*system32\\svchost.exe.*'] START t'2021-10-20T00:00:00Z' STOP t'2021-10-21T00:00:00Z'
The printed return (segment of it) from the first case using the stix-shifter command line utility is:
"working_directory": "C:\\Windows\\system32\\"
"command_line": "C:\\Windows\\system32\\services.exe"
"command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv",
"C:\\Windows\\system32\\svchost.exe",
"C:\\Windows\\system32\\services.exe"
"working_directory": "C:\\Windows\\system32\\"
"command_line": "C:\\Windows\\system32\\services.exe"
"command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc",
Only 4 backslashes work correctly, not 2 or 8.
svchost2 = GET process FROM stixshifter://host101
WHERE command_line MATCHES '.*system32\\\\svchost.exe.*'
AND x-oca-event:action = 'Process Create (rule: ProcessCreate)'
START 2021-10-20T00:00:00.000Z STOP 2021-10-21T00:00:00.000Z
WHERE command_line MATCHES '.*system32\\svchost.exe.*'
Issue confirmed.
An upper layer Python code needs to put 4 backslash chars to match 1 backslash char in data, which should not be expected. The expected way should be: to match 1 backslash char in data, the upper layer Python code needs to have 2 backslahes chars in the raw string.
stix-shifter
behaves consistently with stix2matcher
(used in Kestrel stix-bundle interface), both of which need 4 backslashs in raw string to match 1 backslash in data. Both needs correction.
Describe the bug The are multiples regular expressions in regular (not raw) strings that single the RE backslash escape, but it's interpreted as a Python string escape.
To Reproduce Steps to reproduce the behavior:
pytest
Expected behavior Should use raw strings for regular expressions
Screenshots