Closed PiRomant closed 7 months ago
Added a quick logic check for this. Unfortunately don't have time to continue much dev on this tool though. Hope it works for you now. A quick check shows it working for me.
Just a note, code is looking for anything that is an int in a sigma field value and then creating the regex exact match logic in the Wazuh rule. Could create unintended false negatives in other fields with ints as values
Did you only fix for integer values? The same problem applies to string values.
Doing this for all string values wouldn't be a good solution. Maybe you can add an option for some field names to allow this? I really don't support it anymore.
Rule without value modifiers
converts to
instead of
Could cause false positive with eventID =
1500
,1150
... It may also affect performance. Rule source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml#L25-L28