EventID in Sigma Rules not matching (String vs Numeric)

Question

EventID in Sigma Rules not matching (String vs Numeric)

stdio-h opened this issue 2 years ago · comments

Most sigma rules use numeric EventID - i.e.:

detection:
    selection:
        EventID: 7045
        ServiceName:
            - 'srservice'
            - 'ipvpn'
            - 'hkmsvc'
    condition: selection

modules.rs [line 215] however converts the EventID to a String

doc["EventID"] = json!(event_id.to_string());

and the condition (EventID: 7045) is therefore not met. After removing the conversion to String (or rewriting the Sigma Rule to EventID: "7045") the Event is successfully matched:

doc["EventID"] = json!(event_id);

Yeti · Answer 1 · Fri Oct 15 2021 04:10:31 GMT+0800 (China Standard Time)

Thanks for pointing this out. I was trying to write a Proxyshell rule and after reading this post and casting the event id as a string the detection worked.

fscc-jamesd · Answer 2 · Fri Oct 22 2021 22:02:36 GMT+0800 (China Standard Time)

Good spot, thanks for raising this. I've merged in a fix for this. I'll push out a new build this weekend.

fscc-jamesd · Answer 3 · Mon Oct 25 2021 07:18:51 GMT+0800 (China Standard Time)

I've had to revert the change that closed this issue due to the issue identified in #30.

Michael · Answer 4 · Mon Nov 01 2021 21:07:26 GMT+0800 (China Standard Time)

delete if this doesn't have a place here but
As a temporary solution, the following can transform the sigma rule data set:

for f in $(find sigma_rules/ -name '*.yml'); do sed -i 's/\(EventID:\s*\)\([[:digit:]]\{4\}\)/\1"\2"/' $f; echo transforming $f; done

Yeti · Answer 5 · Wed Nov 03 2021 20:46:25 GMT+0800 (China Standard Time)

Thanks for the doing the leg work on that Michael. I just put this together for the nested event ID statements using the loop you put together

's/\(- \)\([[:digit:]]\{1,5\}\)/\1"\2"/'