opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[BUG] Sigma rules creation do not accept IPv6 addresses as value/list when defining a selection map with the modifier CIDR. #1252

Open rafaelma opened 3 months ago

rafaelma commented 3 months ago

What is the bug?

When creating a sigma rule with a detection criteria that use a Map with Modifier=CIDR, you will get this error message: _"[security_analytics_exception] Invalid IPv4 CIDR expression"_ if the value of the map is an IPv6 address.

How can one reproduce the bug?

Steps to reproduce the behavior:

  1. Go to '[Security Analytics][Detection rules][Create detection rule] page i Opensearch
  2. Define a rule with a detection map that includes for example: Key: ip.address Modifier: CIDR Value: 2a03:2880:f132:83:face:b00c::/96
  3. Press "Create detection rule"
  4. Get this error _"[security_analytics_exception] Invalid IPv4 CIDR expression"_

What is the expected behavior?

It should work with both IPv4 and IPv6 addresses according to the Sigma rules documentation, ref: https://sigmahq.io/docs/basics/modifiers.html#cidr

What is your host/environment?

# /usr/share/opensearch/bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-cross-cluster-replication
opensearch-custom-codecs
opensearch-flow-framework
opensearch-geospatial
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-ml
opensearch-neural-search
opensearch-notifications
opensearch-notifications-core
opensearch-observability
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-security-analytics
opensearch-skills
opensearch-sql

Do you have any screenshots? If applicable, add screenshots to help explain your problem.

error

Do you have any additional context?

It looks like the implementation of the "Sigma Modifiers" in Opensearch does not support IPv6 addresses with the CIDR modifier if I interpret this code correctly: https://github.com/opensearch-project/security-analytics/blob/3e1f59d00125f522f565014bb7bd4d8ea8df2d73/src/main/java/org/opensearch/securityanalytics/rules/types/SigmaCIDRExpression.java

dblock commented 2 months ago

[Weekly Catch All Triage - 1]