Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Search-Identifier, List and Map's Allowed Types #71

Open
hanstzou opened this issue Mar 17, 2023 · 1 comment
Open

Search-Identifier, List and Map's Allowed Types #71

hanstzou opened this issue Mar 17, 2023 · 1 comment

Comments

@hanstzou
Copy link

Search-identifier's spec defined value types allowed in lists and maps, but it may need to be expanded.

Sigma_specification.md

By current definition, 1. a search-identifier can hold (1) a list of strings, (2) a list of maps, or (3) a map.
2. The map, in turn, hold key-value pairs, where each key is a field and each value is (1) a string, (2) an integer, or (3) a null (special field value).

sigma-specification/Sigma_specification.md

Lines 421 to 424 in 066938f

#### Search-Identifier
A definition that can consist of two different data structures - lists and maps.

sigma-specification/Sigma_specification.md

Lines 463 to 469 in 066938f

#### Lists
Lists can contain:
* strings that are applied to the full log message and are linked with a logical 'OR'.
* maps (see below). All map items of a list are logically linked with 'OR'.

sigma-specification/Sigma_specification.md

Lines 490 to 493 in 066938f

#### Maps
Maps (or dictionaries) consist of key/value pairs, in which the key is a field in the log data and the value is a string or integer value. All elements of a map are joined with a logical 'AND'.

sigma-specification/Sigma_specification.md

Lines 555 to 560 in 066938f

#### Special Field Values
There are special field values that can be used.
* An empty value is defined with `''`
* A null value is defined with `null`

In addition, although not mentioned directly, there are examples showing that a map's value list also can store integers. Thus, I'd guess a map's value could also be 2.-(4) a list of strings, integers, or nulls.

sigma-specification/Sigma_specification.md

Lines 500 to 505 in 066938f

selection:
EventLog: Security
EventID:
- 517
- 1102
condition: selection

Real-World Usages

The aforementioned summarization/guessing is extracted from specification alone.
I checked some Sigma rules in SigmaHQ/sigma repo as well, and found another usage.

In rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml#L23-L30 a search-id holds a list which has an integer in it, making an usage of 1.-(4) a list of strings and integers.

    keywords:
        - 'POST'
        - 200
        - '/ecp/DDI/DDIService.svc/SetObject'

Are There More?

Will there be other types, say, booleans/floats/...?
For example, is usage of a map like

detection:
    sample-search-id:
        some-field: false

considered valid?

Summary

In conclusion, the spec's type definition seems to be incomplete/inaccurate and may need some update.

Maybe we can consider defining types as follows

  1. A scalar: string/null/boolean/integer/floating point (as defined in YAML spec).
  2. A search-identifier can hold (1) a list of scalars, (2) a list of maps, or (3) a map
  3. A map is a key-value pair where the value can be (1) a scalar or (2) a list of scalars.
@thomaspatzke
Copy link
Member

Agreed. Since pySigma boolean values are also explicitly allowed, therefore it makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hanstzou @thomaspatzke