Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72
stars
74
forks
source link
[BUG] Sigma rules creation do not accept IPv6 addresses as value/list when defining a selection map with the modifier CIDR. #1252
When creating a sigma rule with a detection criteria that use a Map with Modifier=CIDR, you will get this error message: _"[security_analytics_exception] Invalid IPv4 CIDR expression"_ if the value of the map is an IPv6 address.
How can one reproduce the bug?
Steps to reproduce the behavior:
Go to '[Security Analytics][Detection rules][Create detection rule] page i Opensearch
Define a rule with a detection map that includes for example:
Key: ip.address
Modifier: CIDR
Value: 2a03:2880:f132:83:face:b00c::/96
Press "Create detection rule"
Get this error _"[security_analytics_exception] Invalid IPv4 CIDR expression"_
What is the bug?
When creating a sigma rule with a detection criteria that use a Map with Modifier=CIDR, you will get this error message: _"[security_analytics_exception] Invalid IPv4 CIDR expression"_ if the value of the map is an IPv6 address.
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
It should work with both IPv4 and IPv6 addresses according to the Sigma rules documentation, ref: https://sigmahq.io/docs/basics/modifiers.html#cidr
What is your host/environment?
Do you have any screenshots? If applicable, add screenshots to help explain your problem.
Do you have any additional context?
It looks like the implementation of the "Sigma Modifiers" in Opensearch does not support IPv6 addresses with the CIDR modifier if I interpret this code correctly: https://github.com/opensearch-project/security-analytics/blob/3e1f59d00125f522f565014bb7bd4d8ea8df2d73/src/main/java/org/opensearch/securityanalytics/rules/types/SigmaCIDRExpression.java