zeroSteiner
commented
1 year ago Looks like a string escaping issue. Until I get around to fixing it (which I may or may not do) you can add more back slashes. The literal slashes in the path for the regex (\) should be replaced with four (\\\\). Two are each to put a literal slash into the interpreted string. Then the resulting two for a literal slash in the regex.
I'll need to look into if this is actually a bug and if fixing it makes sense without breaking backwards compatibility.
rule_engine is a great feature to use, but I'm running into some issues. The following code will get stuck, no error will be reported, and there will be no return value Looking forward to your reply and good luck
for myrule in [ Rule('TargetFilename.as_lower =~ "c:\\\windows\\\system32\\(.?)+.exe"', context=Context(default_value=None)), Rule('TargetFilename.as_lower =~ "c:\\\windows\\\system32\\(.?)+.wncryt"', context=Context(default_value=None)), Rule('TargetFilename.as_lower =~ "c:\\\windows\\\system32\\(.?)+.ini"', context=Context(default_value=None)), Rule('TargetFilename.as_lower =~ "c:\\\windows\\\system32\\(.?)+.bat"', context=Context(default_value=None)), Rule('TargetFilename.as_lower =~ "c:\\\windows\\\system32\\(.*?)+.bin"', context=Context(default_value=None)), ]: print(myrule.matches({'RuleName': '-', 'UtcTime': '2023-05-29 08:59:49.311', 'ProcessGuid': '{8ec1d6e5-fad3-6473-4300-00000000b000}', 'ProcessId': '3972', 'Image': 'C:\WINDOWS\System32\svchost.exe', 'TargetFilename': 'c:\windows\system32\winevt\logs\archive-microsoft-windows-sysmon%4operational', 'CreationUtcTime': '2023-05-29 08:59:49.311', 'User': 'NT AUTHORITY\LOCAL SERVICE'}))