Merge pull request #1401 from Yamato-Security/1398-sigma-v2-cased-mod…

…ifier-support added sigma v2 cased modifier support
Yamato-Security · Aug 16, 2024 · d105a33 · d105a33
2 parents 5bce02d + 49be00f
commit d105a33
Show file tree

Hide file tree

Showing 3 changed files with 252 additions and 2 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -10,6 +10,7 @@
     * `m`: (multi-line) 複数行にまたがってマッチする。`^` /`$` は行頭/行末にマッチする。
     * `s`: (single-line) ドット文字 (`.`) は改行文字を含むすべての文字にマッチする。
 - Sigma V2の`|exists`モディファイアに対応した。 (#1400) (@hitenkoku)
+- Sigma V2の`|cased`モディファイアに対応した。 (#1401) (@hitenkoku)
 
 **改善:**
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@
     * `m`: (multi-line) match across multiple lines. `^` /`$` match the start/end of line.
     * `s`: (single-line) the dot character (`.`) matches all characters, including the newline character.
 - Support for the Sigma V2 `|exists` modifier. (#1400) (@hitenkoku)
+- Support for the Sigma V2 `|cased` modifier. (#1401) (@hitenkoku)
 
 **Enhancements:**
 

diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs
@@ -495,6 +495,17 @@ impl LeafMatcher for DefaultMatcher {
                 if !fastmatches.is_empty() {
                     self.fast_match = Some(fastmatches);
                 }
+            } else if self.pipes[1] == PipeElement::Cased {
+                if self.pipes[0] == PipeElement::Startswith {
+                    self.fast_match =
+                        Self::convert_to_fast_match(&format!("{}*", pattern[0]), false);
+                } else if self.pipes[0] == PipeElement::Endswith {
+                    self.fast_match =
+                        Self::convert_to_fast_match(&format!("*{}", pattern[0]), false);
+                } else if self.pipes[0] == PipeElement::Contains {
+                    self.fast_match =
+                        Self::convert_to_fast_match(&format!("*{}*", pattern[0]), false);
+                }
             }
         } else if n == 3 {
             if self.pipes.contains(&PipeElement::Contains)
@@ -633,8 +644,20 @@ impl LeafMatcher for DefaultMatcher {
             let fast_match_result = if fast_matcher.len() == 1 {
                 match &fast_matcher[0] {
                     FastMatch::Exact(s) => Some(Self::eq_ignore_case(event_value_str, s)),
-                    FastMatch::StartsWith(s) => Self::starts_with_ignore_case(event_value_str, s),
-                    FastMatch::EndsWith(s) => Self::ends_with_ignore_case(event_value_str, s),
+                    FastMatch::StartsWith(s) => {
+                        if self.pipes.contains(&PipeElement::Cased) {
+                            Some(event_value_str.starts_with(s))
+                        } else {
+                            Self::starts_with_ignore_case(event_value_str, s)
+                        }
+                    }
+                    FastMatch::EndsWith(s) => {
+                        if self.pipes.contains(&PipeElement::Cased) {
+                            Some(event_value_str.ends_with(s))
+                        } else {
+                            Self::ends_with_ignore_case(event_value_str, s)
+                        }
+                    }
                     FastMatch::Contains(s) | FastMatch::AllOnly(s) => {
                         if self.pipes.contains(&PipeElement::Windash) {
                             Some(utils::contains_str(
@@ -643,6 +666,8 @@ impl LeafMatcher for DefaultMatcher {
                                     .to_lowercase(),
                                 s,
                             ))
+                        } else if self.pipes.contains(&PipeElement::Cased) {
+                            Some(utils::contains_str(event_value_str, s))
                         } else {
                             Some(utils::contains_str(&event_value_str.to_lowercase(), s))
                         }
@@ -694,6 +719,7 @@ enum PipeElement {
     Cidr(Result<IpCidr, NetworkParseError>),
     All,
     AllOnly,
+    Cased,
 }
 
 impl PipeElement {
@@ -717,6 +743,7 @@ impl PipeElement {
             "cidr" => Option::Some(PipeElement::Cidr(IpCidr::from_str(pattern))),
             "all" => Option::Some(PipeElement::All),
             "allOnly" => Option::Some(PipeElement::AllOnly),
+            "cased" => Option::Some(PipeElement::Cased),
             _ => Option::None,
         };
 
@@ -1667,6 +1694,70 @@ mod tests {
         check_select(rule_str, record_json_str, false);
     }
 
+    #[test]
+    fn test_detect_startswith_cased() {
+        // startswith|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|startswith|cased: "Administrators"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "AdministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+
+        check_select(rule_str, record_json_str, true);
+    }
+
+    #[test]
+    fn test_detect_startswith_cased2() {
+        // startswith|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|startswith|cased: "administrators"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "AdministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+
+        check_select(rule_str, record_json_str, false);
+    }
+
     #[test]
     fn test_detect_endswith1() {
         // endswithが正しく検知できることを確認
@@ -1761,6 +1852,99 @@ mod tests {
         check_select(rule_str, record_json_str, false);
     }
 
+    #[test]
+    fn test_detect_endswith_cased1() {
+        // endswith|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|endswith|cased: "Administrators"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "AdministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+        check_select(rule_str, record_json_str, false);
+    }
+
+    #[test]
+    fn test_detect_endswith_cased2() {
+        // endswith|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|endswith|cased: "test"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "AdministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+        check_select(rule_str, record_json_str, false);
+    }
+
+    #[test]
+    fn test_detect_endswith_cased3() {
+        // endswith|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|endswith|cased: "sTest"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "AdministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+        check_select(rule_str, record_json_str, true);
+    }
+
     #[test]
     fn test_detect_contains1() {
         // containsが正しく検知できることを確認
@@ -1856,6 +2040,70 @@ mod tests {
         check_select(rule_str, record_json_str, false);
     }
 
+    #[test]
+    fn test_detect_contains_cased1() {
+        // contains|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|contains|cased: "Administrators"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "TestAdministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+
+        check_select(rule_str, record_json_str, true);
+    }
+
+    #[test]
+    fn test_detect_contains_cased2() {
+        // contains|casedが正しく検知できることを確認
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                Channel: Security
+                EventID: 4732
+                TargetUserName|contains|cased: "MinistratorS"
+        details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+        "#;
+
+        let record_json_str = r#"
+        {
+          "Event": {
+            "System": {
+              "EventID": 4732,
+              "Channel": "Security"
+            },
+            "EventData": {
+              "TargetUserName": "TestministratorsTest"
+            }
+          },
+          "Event_attributes": {
+            "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+          }
+        }"#;
+
+        check_select(rule_str, record_json_str, false);
+    }
+
     #[test]
     fn test_detect_wildcard_multibyte() {
         // multi byteの確認