Skip to content

Add throw for empty strings in rules with modifier contains, startwith, and endswith #860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 6, 2024
Merged

Add throw for empty strings in rules with modifier contains, startwith, and endswith #860

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6093bdb
add validation for empty strings with contains, startswith and endswi…
jowg-amazon Feb 16, 2024
460f406
throw exception if empty string with contains, startswith, or endswith
jowg-amazon Feb 17, 2024
db4a584
change var name
jowg-amazon Feb 17, 2024
b1bf251
add modifiers to log
jowg-amazon Feb 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletions src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionItem.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,10 @@ public static <T> SigmaDetectionItem fromMapping(String key, Either<T, List<T>>
List<SigmaType> sigmaTypes = new ArrayList<>();
for (T v: values) {
SigmaType sigmaType = SigmaTypeFacade.sigmaType(v);
// skips if sigmaType is an empty string and the modifier is "contains" or "startswith" or "endswith"
if (sigmaType.getClass().equals(SigmaString.class)) {
if (!(v.toString().isEmpty() && (modifierIds.contains("contains") || modifierIds.contains("startswith") || modifierIds.contains("endswith")))) {
sigmaTypes.add(sigmaType);
}
// throws an error if sigmaType is an empty string and the modifier is "contains" or "startswith" or "endswith"
boolean invalidModifier = modifierIds.contains("contains") || modifierIds.contains("startswith") || modifierIds.contains("endswith");
if (sigmaType.getClass().equals(SigmaString.class) && v.toString().isEmpty() && invalidModifier) {
throw new SigmaValueError("Cannot create rule with empty string and given modifier(s)");
} else {
sigmaTypes.add(sigmaType);
}
Expand Down
31 changes: 0 additions & 31 deletions src/test/java/org/opensearch/securityanalytics/TestHelpers.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,37 +259,6 @@ public static String randomRule() {
"level: high";
}

public static String randomRuleWithContainsAndEmptyString() {
return "title: Remote Encrypting File System Abuse\n" +
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
"description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
"references:\n" +
" - https://attack.mitre.org/tactics/TA0008/\n" +
" - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
" - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
" - https://github.com/zeronetworks/rpcfirewall\n" +
" - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
"tags:\n" +
" - attack.defense_evasion\n" +
"status: experimental\n" +
"author: Sagie Dulce, Dekel Paz\n" +
"date: 2022/01/01\n" +
"modified: 2022/01/01\n" +
"logsource:\n" +
" product: rpc_firewall\n" +
" category: application\n" +
" definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
"detection:\n" +
" selection:\n" +
" EventID|contains:\n" +
" 1996\n" +
" ''\n" +
" condition: selection\n" +
"falsepositives:\n" +
" - Legitimate usage of remote file encryption\n" +
"level: high";
}

public static String randomNullRule() {
return "title: null field\n" +
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
Expand Down
52 changes: 0 additions & 52 deletions src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@
import static org.opensearch.securityanalytics.TestHelpers.randomRuleForMappingView;
import static org.opensearch.securityanalytics.TestHelpers.randomRuleWithErrors;
import static org.opensearch.securityanalytics.TestHelpers.windowsIndexMapping;
import static org.opensearch.securityanalytics.TestHelpers.randomRuleWithContainsAndEmptyString;

public class RuleRestApiIT extends SecurityAnalyticsRestTestCase {

Expand Down Expand Up @@ -840,57 +839,6 @@ public void testGetAllRuleCategories() throws IOException {
assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("waf")));
}

public void testCreatingARuleWithContainsAndEmptyString() throws IOException {
String rule = randomRuleWithContainsAndEmptyString();

Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.RULE_BASE_URI, Collections.singletonMap("category", randomDetectorType()),
new StringEntity(rule), new BasicHeader("Content-Type", "application/json"));
Assert.assertEquals("Create rule failed", RestStatus.CREATED, restStatus(createResponse));

Map<String, Object> responseBody = asMap(createResponse);

String createdId = responseBody.get("_id").toString();
int createdVersion = Integer.parseInt(responseBody.get("_version").toString());
Assert.assertNotEquals("response is missing Id", Detector.NO_ID, createdId);
Assert.assertTrue("incorrect version", createdVersion > 0);
Assert.assertEquals("Incorrect Location header", String.format(Locale.getDefault(), "%s/%s", SecurityAnalyticsPlugin.RULE_BASE_URI, createdId), createResponse.getHeader("Location"));

String index = Rule.CUSTOM_RULES_INDEX;
String request = "{\n" +
" \"query\": {\n" +
" \"nested\": {\n" +
" \"path\": \"rule\",\n" +
" \"query\": {\n" +
" \"bool\": {\n" +
" \"must\": [\n" +
" { \"match\": {\"rule.category\": \"" + randomDetectorType().toLowerCase(Locale.ROOT) + "\"}}\n" +
" ]\n" +
" }\n" +
" }\n" +
" }\n" +
" }\n" +
"}";
List<SearchHit> hits = executeSearch(index, request);
Assert.assertEquals(1, hits.size());

request = "{\n" +
" \"query\": {\n" +
" \"nested\": {\n" +
" \"path\": \"rule\",\n" +
" \"query\": {\n" +
" \"bool\": {\n" +
" \"must\": [\n" +
" { \"match\": {\"rule.category\": \"application\"}}\n" +
" ]\n" +
" }\n" +
" }\n" +
" }\n" +
" }\n" +
"}";
hits = executeSearch(index, request);
Assert.assertEquals(0, hits.size());
}

@SuppressWarnings("unchecked")
public void testGetMappingsViewApiForFieldAliasesWithSameName() throws IOException {
String index = createTestIndex(randomIndex(), windowsIndexMapping());
Expand Down
117 changes: 60 additions & 57 deletions src/test/java/org/opensearch/securityanalytics/rules/backend/QueryBackendTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -909,71 +909,74 @@ public void testConvertUnboundValuesAsWildcard() throws IOException, SigmaError

public void testConvertSkipEmptyStringStartsWithModifier() throws IOException, SigmaError {
OSQueryBackend queryBackend = testBackend();
List<Object> queries = queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|startswith: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
Assert.assertEquals("(mappedA: value1*) OR (mappedA: value2*)", queries.get(0).toString());
Assert.assertThrows(SigmaValueError.class, () -> {
queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|startswith: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
});
}

public void testConvertSkipEmptyStringEndsWithModifier() throws IOException, SigmaError {
OSQueryBackend queryBackend = testBackend();
List<Object> queries = queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|endswith: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
Assert.assertEquals("(mappedA: *value1) OR (mappedA: *value2)", queries.get(0).toString());
Assert.assertThrows(SigmaValueError.class, () -> {
queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|endswith: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
});
}

public void testConvertSkipEmptyStringContainsModifier() throws IOException, SigmaError {
OSQueryBackend queryBackend = testBackend();
List<Object> queries = queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|contains: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
Assert.assertEquals("(mappedA: *value1*) OR (mappedA: *value2*)", queries.get(0).toString());
Assert.assertThrows(SigmaValueError.class, () -> {
queryBackend.convertRule(SigmaRule.fromYaml(
" title: Test\n" +
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
" status: test\n" +
" level: critical\n" +
" description: Detects QuarksPwDump clearing access history in hive\n" +
" author: Florian Roth\n" +
" date: 2017/05/15\n" +
" logsource:\n" +
" category: test_category\n" +
" product: test_product\n" +
" detection:\n" +
" sel:\n" +
" fieldA1|contains: \n" +
" - value1\n" +
" - value2\n" +
" - ''\n" +
" condition: sel", false));
});
}

private OSQueryBackend testBackend() throws IOException {
Expand Down