Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk backend allegedly doesn't support or conditions in regex, but fails to detect them (and for some reason creates a newline before | regex) #29

Open
joshnck opened this issue Jan 4, 2024 · 1 comment
Open

Splunk backend allegedly doesn't support or conditions in regex, but fails to detect them (and for some reason creates a newline before | regex) #29

joshnck opened this issue Jan 4, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@joshnck
Copy link

joshnck commented Jan 4, 2024
edited
Loading 

sigma convert --target 'splunk' --pipeline /home/jump/git/win_evt_pipeline.yml /home/jump/git/sigma/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml --skip-unsupported
Parsing Sigma rules  [####################################]  100%
[default]
dispatch.earliest_time = -30d
dispatch.latest_time = now
enableSched = 1
cron_schedule = */15 * * * *
allow_skew = 5m
[9ac8b09b-45de-4a07-9da1-0de8c09304a3]
search = index="winevent"
| regex Payload=".*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"" | eval rule="9ac8b09b-45de-4a07-9da1-0de8c09304a3", title="Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" | collect index=notable_events
description = Detects Obfuscated use of stdin to execute PowerShell

This is the output after using the .yml template:

# Global win eventlog index
transformations:
  - id: index_condition
    type: add_condition
    conditions:
      index: winevent
    rule_conditions:
      - type: logsource
        product: windows


postprocessing:
- type: template
  template: |+
    [{{ rule.id }}]
    search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events
    description = {{ rule.description }}

finalizers:
- type: concat
  prefix: |
    [default]
    dispatch.earliest_time = -30d
    dispatch.latest_time = now
    enableSched = 1
    cron_schedule = */15 * * * *
    allow_skew = 5m

This is mostly a copy from your blog post - so I would expect the results to work fine. Unfortunately, when applying this to the entire /windows/ folder of Sigma rules, it fails to properly format many of the savedsearches resulting in bad searches of index=winevent without the |regex section properly appended.

So there are two problems:

  1. The backend says it does not support an OR in a regex statement but when encountering them under some scenarios, it doesn't drop the failure code ORing regular expressions is not yet supported by Splunk backend in...
  2. The postprocessing insists on adding an extra newline before the |. I have not tested this with a non-yml pipeline

EDIT
If I modify the yaml to be search = {{ query | replace("\n"," ") }} this works, but only when processing one rule at a time. When I attempt to run this against the entire /windows/ folder, it still fails in the same way.

image
@joshnck
Copy link
Author

joshnck commented Jan 4, 2024

image
image

This is an adjacent issue (and a less important one) but when the Sigma rule has newlines in the description, they are kept via the postprocessing even though savedsearch format does not appreciate them.

@thomaspatzke thomaspatzke added the bug Something isn't working label Jan 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomaspatzke @joshnck