Merge pull request #15 from nasbench/add-lookahead-test

Add new regex validator - `SigmahqUnsupportedRegexGroupConstruct`
SigmaHQ · Aug 11, 2024 · 362b868 · 362b868
2 parents 2122060 + 32c8a95
commit 362b868
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 14 deletions.
diff --git a/sigma/validators/sigmahq/config.py b/sigma/validators/sigmahq/config.py
@@ -1603,6 +1603,7 @@ class ConfigHQ:
         "legitimeate",
         "legitimat",
     ]
+    sigmahq_unsupported_regex_group_constructs = ["(?=", "(?!", "(?<=", "(?<!", "(?>"]
     sigmahq_link_in_description = ["http://", "https://"]
     sigmahq_logsource_cast: Dict[SigmaLogSource, List[str]] = {}
     sigmahq_logsource_unicast: Dict[SigmaLogSource, List[str]] = {}

diff --git a/sigma/validators/sigmahq/detection.py b/sigma/validators/sigmahq/detection.py
@@ -1,14 +1,21 @@
 from dataclasses import dataclass
-from typing import ClassVar, List
+from typing import ClassVar, List, Set
+
+from sigma.rule import (
+    SigmaRule,
+    SigmaDetectionItem,
+)
 
-from sigma.rule import SigmaRule
 from sigma.validators.base import (
     SigmaValidationIssue,
     SigmaRuleValidator,
     SigmaValidationIssueSeverity,
     SigmaDetectionItemValidator,
     SigmaDetectionItem,
 )
+
+from sigma.modifiers import SigmaRegularExpressionModifier
+
 from .config import ConfigHQ
 
 config = ConfigHQ()
@@ -46,7 +53,7 @@ def validate_detection_item(
 
 
 @dataclass
-class SigmahqCategoriProvidernameIssue(SigmaValidationIssue):
+class SigmahqCategoryWindowsProviderNameIssue(SigmaValidationIssue):
     description: ClassVar[str] = (
         "Rule uses a windows logsource category that doesn't require the use of the Provider_Name field"
     )
@@ -55,7 +62,7 @@ class SigmahqCategoriProvidernameIssue(SigmaValidationIssue):
     )
 
 
-class SigmahqCategoriProvidernameValidator(SigmaDetectionItemValidator):
+class SigmahqCategoryWindowsProviderNameValidator(SigmaDetectionItemValidator):
     """Checks if a rule uses a Provider_Name field with a windows category logsource that doesn't require it."""
 
     def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]:
@@ -78,6 +85,38 @@ def validate_detection_item(
                         self.rule.logsource.category
                     ]
                 ):
-                    return [SigmahqCategoriProvidernameIssue(self.rule)]
+                    return [SigmahqCategoryWindowsProviderNameIssue(self.rule)]
 
         return []
+
+
+@dataclass
+class SigmahqUnsupportedRegexGroupConstructIssue(SigmaValidationIssue):
+    description: ClassVar[str] = (
+        "Rule uses an unsupported regular expression group construct. Construct such as positive and negative lookahead, positive and negative lookbehind as well as atomic groups are currently unsupported."
+    )
+    severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.HIGH
+    unsupported_regexp: str
+
+
+class SigmahqUnsupportedRegexGroupConstructValidator(SigmaDetectionItemValidator):
+    """Checks if a rule uses a an unsupported regular expression group constructs."""
+
+    def validate_detection_item(
+        self, detection_item: SigmaDetectionItem
+    ) -> List[SigmaValidationIssue]:
+
+        unsupported_regexps: Set[str] = set()
+
+        if SigmaRegularExpressionModifier in detection_item.modifiers:
+            for value in detection_item.value:
+                for (
+                    unsupported_group_construct
+                ) in ConfigHQ.sigmahq_unsupported_regex_group_constructs:
+                    if unsupported_group_construct in value.regexp:
+                        unsupported_regexps.add(value.regexp)
+
+        return [
+            SigmahqUnsupportedRegexGroupConstructIssue([self.rule], regexp)
+            for regexp in unsupported_regexps
+        ]
diff --git a/tests/test_detection.py b/tests/test_detection.py
@@ -6,12 +6,14 @@
 from sigma.validators.sigmahq.detection import (
     SigmahqCategoryEventIdIssue,
     SigmahqCategoryEventIdValidator,
-    SigmahqCategoriProvidernameIssue,
-    SigmahqCategoriProvidernameValidator,
+    SigmahqCategoryWindowsProviderNameIssue,
+    SigmahqCategoryWindowsProviderNameValidator,
+    SigmahqUnsupportedRegexGroupConstructIssue,
+    SigmahqUnsupportedRegexGroupConstructValidator,
 )
 
 
-def test_validator_SigmahqCategorieEventid():
+def test_validator_SigmahqCategoryEventId():
     validator = SigmahqCategoryEventIdValidator()
     rule = SigmaRule.from_yaml(
         """
@@ -30,7 +32,7 @@ def test_validator_SigmahqCategorieEventid():
     assert validator.validate(rule) == [SigmahqCategoryEventIdIssue(rule)]
 
 
-def test_validator_SigmahqCategorieEventid_valid():
+def test_validator_SigmahqCategoryEventId_valid():
     validator = SigmahqCategoryEventIdValidator()
     rule = SigmaRule.from_yaml(
         """
@@ -48,8 +50,8 @@ def test_validator_SigmahqCategorieEventid_valid():
     assert validator.validate(rule) == []
 
 
-def test_validator_SigmahqCategoriProvidername():
-    validator = SigmahqCategoriProvidernameValidator()
+def test_validator_SigmahqCategoryWindowsProviderName():
+    validator = SigmahqCategoryWindowsProviderNameValidator()
     rule = SigmaRule.from_yaml(
         """
     title: A Space Field Name
@@ -64,11 +66,11 @@ def test_validator_SigmahqCategoriProvidername():
         condition: sel
     """
     )
-    assert validator.validate(rule) == [SigmahqCategoriProvidernameIssue(rule)]
+    assert validator.validate(rule) == [SigmahqCategoryWindowsProviderNameIssue(rule)]
 
 
-def test_validator_SigmahqCategoriProvidername_valid():
-    validator = SigmahqCategoriProvidernameValidator()
+def test_validator_SigmahqCategoryWindowsProviderName_valid():
+    validator = SigmahqCategoryWindowsProviderNameValidator()
     rule = SigmaRule.from_yaml(
         """
     title: A Space Field Name
@@ -83,3 +85,41 @@ def test_validator_SigmahqCategoriProvidername_valid():
     """
     )
     assert validator.validate(rule) == []
+
+
+def test_validator_SigmahqUnsupportedRegexGroupConstruct():
+    validator = SigmahqUnsupportedRegexGroupConstructValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: A Space Field Name
+    status: test
+    logsource:
+        product: windows
+        category: process_creation
+    detection:
+        sel:
+            field|re: 'A(?=B)'
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [
+        SigmahqUnsupportedRegexGroupConstructIssue([rule], "A(?=B)")
+    ]
+
+
+def test_validator_SigmahqUnsupportedRegexGroupConstruct_valid():
+    validator = SigmahqUnsupportedRegexGroupConstructValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: A Space Field Name
+    status: test
+    logsource:
+        product: windows
+        category: process_creation
+    detection:
+        sel:
+            field|re: 'a\w+b'
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == []