Replies: 1 comment 2 replies
-
|
The v2 specification defines clear ways for case-(in)sensitivity:
Both modifiers are full supported by pySigma and case-insensitivity syntaxes mentioned above can easily be implemented by backends:
|
Beta Was this translation helpful? Give feedback.
-
|
Welp, looks like i'm late :p Why is the version 2 still not the main version? What else needs to be defined? I'll adapt my backend with these specs :) |
Beta Was this translation helpful? Give feedback.
-
|
Version is still a work in progress. I.e things can change But mainly most new things are defined in there or are still pending review, such as the latest updates around correlations. |
Beta Was this translation helpful? Give feedback.
-
The Sigma specification mentions that :
and
However, those are the only two mentions of case-sensitiveness in the whole Sigma specification.
This leads to the following problem: There is no standard way to express a case-insensitive regex in a Sigma rule.
From my understanding, this is undefined behavior, which Sigma should try to avoid. Individual backends must decide without guidance how to handle those, which undermines the vendor-agnosticness that we love of Sigma .
For example, in QRadar and splunk, the way to define a case-insensitive regex is by prepending it with
(?i). With Crowdstrike Falcon Logscale, however, it's/myregex/i. In sqlite, you need tolower()the field you're searching on. Completely different ways to express the same outcome. I think Sigma should standardize regex case-sensitiveness, and maybe other regex flags as well.Beta Was this translation helpful? Give feedback.
All reactions