Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal for fieldref wildcard support #305

Merged
merged 3 commits into from
Nov 16, 2024
Merged

Proposal for fieldref wildcard support #305

merged 3 commits into from
Nov 16, 2024
+39 −6

Conversation

kelnage
Copy link
Contributor

@kelnage kelnage commented Nov 12, 2024

Field references can currently only specify a full match on two fields, but for backends that support it, we have found that in practice being able to partially match one field against another is important. This commit introduces the ability for a field reference to have a leading or trailing wildcard and updates the contains, startswith, and endswith modifiers to allow the rule to set them.

Note: the current design assumes that the modifiers will be applied with the fieldref first, then the relevant wildcard modifier. Changing this order would require being able to extract the leading/trailing wildcards from the SigmaString - which is doable, but would require some additional logic to achieve.

@kelnage
Initial design for fieldref wildcard support
6fab372 
Field references can currently only specify a full match on two fields,
but for backends that support it, we have found that in practice being
able to partially match one field against another is important. This
commit introduces the ability for a field reference to have a leading
or trailing wildcard and updates the contains, startswith, and endswith
modifiers to allow the rule to set them.
@kelnage kelnage changed the title Initial design for fieldref wildcard support Proposal for fieldref wildcard support Nov 12, 2024
@kelnage
Merge branch 'main' of github.com:SigmaHQ/pySigma into fieldref-wildc…
dcc780d 
…ard-support
@kelnage
Flip wildcard for startswith and endswith
8131563 
When checking `startswith`, the wildcard should be at the end, and v.v.
for `endswith`.
@nasbench
Copy link
Member

@frack113 when this gets merged we need a validator for HQ to make sure the order is respected. If you can put it in your to-do.

@thomaspatzke thomaspatzke merged commit 33f0654 into SigmaHQ:main Nov 16, 2024
15 checks passed
@kelnage kelnage deleted the fieldref-wildcard-support branch November 16, 2024 20:42
@thomaspatzke
Copy link
Member

While integration into the default backend code I've made some change to the type and modifiers. Now just starts_with and ends_with flags are set to True instead of storing a SpecialChar object into the wildcard_start and wildcard_end object variables which is always the same SpecialChars.WILDCARD_MULTI. This simplifies this change a bit and makes the code more efficient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kelnage @nasbench @thomaspatzke