From 388e865205860bdfdad7969deb3819b2e4aad1a5 Mon Sep 17 00:00:00 2001 From: Bivic Date: Mon, 2 Dec 2024 18:16:51 +0100 Subject: [PATCH 1/2] add syntax info about the regex we support --- docs/xdr/features/detect/sigma.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/xdr/features/detect/sigma.md b/docs/xdr/features/detect/sigma.md index 6a524d5db3..ab5bdc56a6 100644 --- a/docs/xdr/features/detect/sigma.md +++ b/docs/xdr/features/detect/sigma.md @@ -72,7 +72,7 @@ Here is the list of supported modifiers: - `base64`: match the value encoded with Base64 - `endswith`: the value is expected at the end of the field's content (replaces e.g. `*\cmd.exe`) - `startswith`: the value is expected at the beginning of the field's content. (replaces e.g. `adm*`) -- `re`: the value is a regular expression. Regular expressions are case sensitive by default +- `re`: the value is a [regular expression](https://github.com/google/re2/wiki/Syntax). Regular expressions are case sensitive by default - `cidr`: the value is a subnet in CIDR notation (e.g. `192.168.1.0/24`) the IP address should belong to - `lt`: less than this value - `lte`: less than or equal to this value From 45f947962566e09f6d3da4d899f1e354f0560849 Mon Sep 17 00:00:00 2001 From: Bivic Date: Tue, 3 Dec 2024 11:59:45 +0100 Subject: [PATCH 2/2] change link --- docs/xdr/features/detect/sigma.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/xdr/features/detect/sigma.md b/docs/xdr/features/detect/sigma.md index ab5bdc56a6..2abba35b93 100644 --- a/docs/xdr/features/detect/sigma.md +++ b/docs/xdr/features/detect/sigma.md @@ -72,7 +72,7 @@ Here is the list of supported modifiers: - `base64`: match the value encoded with Base64 - `endswith`: the value is expected at the end of the field's content (replaces e.g. `*\cmd.exe`) - `startswith`: the value is expected at the beginning of the field's content. (replaces e.g. `adm*`) -- `re`: the value is a [regular expression](https://github.com/google/re2/wiki/Syntax). Regular expressions are case sensitive by default +- `re`: the value is a [regular expression](https://github.com/andreasvc/pyre2). Regular expressions are case sensitive by default - `cidr`: the value is a subnet in CIDR notation (e.g. `192.168.1.0/24`) the IP address should belong to - `lt`: less than this value - `lte`: less than or equal to this value