theflakes / sigma_to_wazuh

Convert Sigma rules to Wazuh rules
MIT License
57 stars 14 forks source link

Sigma Value Modifiers #21

Closed PiRomant closed 7 months ago

PiRomant commented 8 months ago

Rule without value modifiers

detection:
    selection:
        EventID:
            - 150
            - 770
            - 771

converts to

<field name="win.system.eventID" negate="no" type="pcre2">(?i)150|770|771</field>

instead of

<field name="win.system.eventID" negate="no" type="pcre2">(?i)^150$|^770$|^771$</field>

Could cause false positive with eventID = 1500, 1150... It may also affect performance. Rule source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml#L25-L28

theflakes commented 7 months ago

Added a quick logic check for this. Unfortunately don't have time to continue much dev on this tool though. Hope it works for you now. A quick check shows it working for me.

theflakes commented 7 months ago

Just a note, code is looking for anything that is an int in a sigma field value and then creating the regex exact match logic in the Wazuh rule. Could create unintended false negatives in other fields with ints as values

PiRomant commented 7 months ago

Did you only fix for integer values? The same problem applies to string values.

theflakes commented 7 months ago

Doing this for all string values wouldn't be a good solution. Maybe you can add an option for some field names to allow this? I really don't support it anymore.