-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regular Expression matching #41
Comments
Hi,
A way can be to have 2 modifiers:
|
@frack113: If I understand you correctly this means the spec should be updated to say that |
currently it is the backend that manages the regex.
My proposal is to clarify this point. |
As field matches are always full matches on the whole value, this should be the same for regular expressions to maintain consistency. |
@thomaspatzke I'm not sure it's officially in the specification, but I disagree with your comment. Full-matching regexes can have important performance implications for SIEMs: It is discussed here https://www.loggly.com/blog/five-invaluable-techniques-to-improve-regex-performance/ At my org, using leading and trailing |
Hi
How does sigma expect regex to be applied to fields? Does the regex need to apply to the whole field? I couldn't find a definition in the spec.
Take for example
rules/windows/process_creation/win_regini.yml
If I translate that with sigmac I'll get a query string that requries a full match on the field.
I propose to define that behavior in the sigma specification and thought of these two possibilities:
Solution A: Sigma Spec defines partial match
If only a partial match is required I can try to make a pull request that would translate it to
(process.executable.keyword:*\\regini.exe AND process.command_line.keyword:/.*:[^ \\].*/)
Solution B: Sigma Spec defines full match
If a full field match is required I could make a pull request to rewrite the rule to
Best Regards,
maederm
The text was updated successfully, but these errors were encountered: