Skip to content

Commit

Permalink
change sigma title validation
Browse files Browse the repository at this point in the history 
Signed-off-by: Joanne Wang <[email protected]>
  • Loading branch information
@jowg-amazon
jowg-amazon committed Apr 12, 2024
1 parent 110eee1 commit a6d89aa
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 36 deletions.
21 changes: 7 additions & 14 deletions src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
import java.util.Locale;
import java.util.Map;
import java.util.UUID;
import java.util.regex.Pattern;

import static org.opensearch.commons.utils.ValidationHelpersKt.getInvalidNameChars;
import static org.opensearch.commons.utils.ValidationHelpersKt.isValidName;

public class SigmaRule {

Expand Down Expand Up @@ -110,6 +106,12 @@ protected static SigmaRule fromDict(Map<String, Object> rule, boolean collectErr
ruleId = null;
}

String title = rule.get("title").toString();
if (!title.matches("^.{1,256}$"))
{
errors.add(new SigmaTitleError("Sigma rule title can be max 256 characters"));
}

SigmaLevel level;
if (rule.containsKey("level")) {
level = SigmaLevel.valueOf(rule.get("level").toString().toUpperCase(Locale.ROOT));
Expand Down Expand Up @@ -169,7 +171,7 @@ protected static SigmaRule fromDict(Map<String, Object> rule, boolean collectErr
throw errors.get(0);
}

return new SigmaRule(rule.get("title").toString(), logSource, detections, ruleId, status,
return new SigmaRule(title, logSource, detections, ruleId, status,
rule.get("description").toString(), rule.get("references") != null? (List<String>) rule.get("references"): null, ruleTags,
rule.get("author").toString(), ruleDate, rule.get("fields") != null? (List<String>) rule.get("fields"): null,
rule.get("falsepositives") != null? (List<String>) rule.get("falsepositives"): null, level, errors);
Expand All @@ -184,15 +186,6 @@ public static SigmaRule fromYaml(String rule, boolean collectErrors) throws Sigm
return fromDict(ruleMap, collectErrors);
}

public static void validateSigmaRuleTitle(String title, List<SigmaError> errors)
{
if (!isValidName(title))
{
errors.add(new SigmaTitleError("Sigma rule title may not start with [_, +, -], contain '..', or contain: " +
getInvalidNameChars().replace("\\", "")));
}
}

public String getTitle() {
return title;
}
Expand Down
1 change: 0 additions & 1 deletion src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,6 @@ void prepareRuleIndexing() {
public void onResponse(Map<String, String> fieldMappings) {
try {
SigmaRule parsedRule = SigmaRule.fromYaml(rule, true);
SigmaRule.validateSigmaRuleTitle(parsedRule.getTitle(), parsedRule.getErrors());
if (parsedRule.getErrors() != null && parsedRule.getErrors().size() > 0) {
onFailures(parsedRule.getErrors().toArray(new SigmaError[]{}));
return;
Expand Down
12 changes: 5 additions & 7 deletions src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@
import java.util.stream.Collectors;
import org.opensearch.securityanalytics.rules.exceptions.SigmaError;

import static org.opensearch.commons.utils.ValidationHelpersKt.getInvalidNameChars;
import static org.opensearch.securityanalytics.TestHelpers.randomDetectorType;
import static org.opensearch.securityanalytics.TestHelpers.countAggregationTestRule;
import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputs;
Expand Down Expand Up @@ -159,7 +158,7 @@ public void testCreatingAggregationRule() throws SigmaError, IOException {

@SuppressWarnings("unchecked")
public void testCreatingARuleWithWrongSyntax() throws IOException {
String invalidSigmaRuleTitle = "_Invalid # Rule";
String invalidSigmaRuleTitle = "a".repeat(257);
String rule = randomRuleWithErrors(invalidSigmaRuleTitle);

try {
Expand All @@ -169,8 +168,8 @@ public void testCreatingARuleWithWrongSyntax() throws IOException {
} catch (ResponseException ex) {
Map<String, Object> responseBody = asMap(ex.getResponse());
String reason = ((Map<String, Object>) responseBody.get("error")).get("reason").toString();
Assert.assertEquals("{\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"," +
"\"error\":\"Sigma rule title may not start with [_, +, -], contain '..', or contain: "+ getInvalidNameChars().replace("\\", "") + "\"}", reason);
Assert.assertEquals("{\"error\":\"Sigma rule title can be max 256 characters\",\"error\":\"Sigma rule must have a log source\"," +
"\"error\":\"Sigma rule must have a detection definitions\"}", reason);
}
}

Expand Down Expand Up @@ -434,7 +433,7 @@ public void testUpdatingUnusedRuleWithWrongSyntax() throws IOException {
Map<String, Object> responseBody = asMap(createResponse);
String createdId = responseBody.get("_id").toString();

String invalidSigmaRuleTitle = "..Remote Encrypting File System Abuse";
String invalidSigmaRuleTitle = "a".repeat(257);
String updatedRule = randomEditedRuleInvalidSyntax(invalidSigmaRuleTitle);

try {
Expand All @@ -444,8 +443,7 @@ public void testUpdatingUnusedRuleWithWrongSyntax() throws IOException {
} catch (ResponseException ex) {
responseBody = asMap(ex.getResponse());
String reason = ((Map<String, Object>) responseBody.get("error")).get("reason").toString();
Assert.assertEquals("Sigma rule title may not start with [_, +, -], contain '..', or contain: " +
getInvalidNameChars().replace("\\", ""), reason);
Assert.assertEquals("Sigma rule title can be max 256 characters", reason);
}
}

Expand Down
39 changes: 25 additions & 14 deletions src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaRuleTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
package org.opensearch.securityanalytics.rules.objects;

import org.junit.Assert;
import org.junit.Rule;
import org.opensearch.securityanalytics.rules.condition.ConditionOR;
import org.opensearch.securityanalytics.rules.exceptions.SigmaDateError;
import org.opensearch.securityanalytics.rules.exceptions.SigmaDetectionError;
Expand All @@ -27,7 +26,6 @@

import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
Expand All @@ -37,8 +35,6 @@
import java.util.Map;
import java.util.UUID;

import static org.opensearch.commons.utils.ValidationHelpersKt.getInvalidNameChars;

public class SigmaRuleTests extends OpenSearchTestCase {

public void testSigmaRuleBadUuid() {
Expand Down Expand Up @@ -94,19 +90,34 @@ public void testSigmaRuleBadDate() {
}

public void testSigmaRuleBadTitle() {
String invalidSigmaRuleTitle = "_invalid ..title?";
List<SigmaError> errors = new ArrayList<>();
SigmaTitleError expectedError = new SigmaTitleError("Sigma rule title may not start with [_, +, -], contain '..', or contain: " + getInvalidNameChars().replace("\\", ""));
Map<String, Object> sigmaRule = new HashMap<>();
sigmaRule.put("id", java.util.UUID.randomUUID().toString());
sigmaRule.put("level", "critical");
sigmaRule.put("status", "experimental");
sigmaRule.put("date", "2017/05/15");

// test empty string
String invalidSigmaRuleTitle = "";
sigmaRule.put("title", invalidSigmaRuleTitle);

Exception exception = assertThrows(SigmaTitleError.class, () -> {
SigmaRule.fromDict(sigmaRule, false);
});

String expectedMessage = "Sigma rule title can be max 256 characters";
String actualMessage = exception.getMessage();
assertTrue(actualMessage.contains(expectedMessage));

SigmaRule.validateSigmaRuleTitle(invalidSigmaRuleTitle, errors);
// test string over 256 chars
invalidSigmaRuleTitle = "a".repeat(257);
sigmaRule.put("title", invalidSigmaRuleTitle);

assertEquals(1, errors.size());
assertEquals(expectedError.getMessage(), errors.get(0).getMessage());
exception = assertThrows(SigmaTitleError.class, () -> {
SigmaRule.fromDict(sigmaRule, false);
});

String validSigmaRuleTitle = "acceptable [title]";
errors.clear();
SigmaRule.validateSigmaRuleTitle(validSigmaRuleTitle, errors);
assertEquals(0, errors.size());
actualMessage = exception.getMessage();
assertTrue(actualMessage.contains(expectedMessage));
}

public void testSigmaRuleNoLogSource() {
Expand Down

0 comments on commit a6d89aa

Please sign in to comment.