SIGMA rule translation -> lucene query replaces spaces " " with "_ws_" which lucene doesnt understand. #1024
Comments
|
Just wondering if there has been any movement on this and if a fix is coming in 2.15. Thanks! |
|
@sbcd90 - good afternoon. Do you have any suggestion how I could get some attention to this bug? I wish I were a developer, but I'm unable to contribute a fix myself. I welcome any suggestions. Thank you. |
|
@praveensameneni Hi Praveen, this bug has been opened for a long time. Do you have any suggestion how I can get some attention to it? I'm not a developer, but can I buy someone a pizza? |
|
hi @ELKHostmaster , will work on it for next release. |
|
@sbcd90 Awesome! thank you very much. |
|
Hi everyone, Just seeing out there if someone found an alternative for now? Thank you, |
|
Sadly no. Been waiting since May for a fix. I wish I could bribe someone with a pizza and beer for some fixes. Unfortunately, I'm not a developer so, just patiently waiting. |
|
Hi @sbcd90 , do you know if it should have it available in the 2.19 since looks like the 2.18 the bug is still there? Thank you very much, |
|
Will this be fixed in 2.19? It feels like the Security Analytics module is not getting the attention it deserves. Lots of untriaged and open issues. Little to no feedback in github, and slack channels. Will this module be supported long-term? |
|
@sbcd90 good morning. Will this patch make it into the 2.19 release? This is a really bad bug that has plagued us for the better part of a year now. @rios0rios0 thank you again for supporting this fix! |
What is the bug?
A sigma rules with a whitespace gets incorrectly translated to a search query with "ws" instead of a whitespace.
How can one reproduce the bug?
detection:
condition: (selection and selection_evt) and not filter_main_known_locations
filter_main_known_locations:
process.executable|contains:
- C:\Program Files (x86)\Windows Defender\
- C:\Program Files\Microsoft Security Client\
- C:\Program Files\Windows Defender\
- C:\ProgramData\Microsoft\Windows Defender\Platform\
- C:\Windows\WinSxS\
selection:
process.name:
- MpCmdRun.exe
- NisSrv.exe
selection_evt:
event.code: 1
event.module: sysmon
Results in:
(((process.name: "MpCmdRun.exe") OR (process.name: "NisSrv.exe")) AND ((event.code: 1) AND (event.module: "sysmon"))) AND ((((NOT process.executable: C:\Program_ws_Files_ws_(x86)\Windows_ws_Defender\ AND exists: process.executable) AND (NOT process.executable: C:\Program_ws_Files\Microsoft_ws_Security_ws_Client\ AND exists: process.executable) AND (NOT process.executable: C:\Program_ws_Files\Windows_ws_Defender\ AND exists: process.executable) AND (NOT process.executable: C:\ProgramData\Microsoft\Windows_ws_Defender\Platform\ AND exists: process.executable) AND (NOT process.executable: C:\Windows\WinSxS\ AND exists: process.executable))))
What is the expected behavior?
A whitespace should work properly in a sigma rule that is translated to a lucene query
What is your host/environment?
OS 2.13
Do you have any additional context?
Looking in github, I can see where the "ws" is being set. Not sure why.
https://github.com/search?q=repo%3Aopensearch-project%2Fsecurity-analytics%20%20_ws_&type=code
The text was updated successfully, but these errors were encountered: