Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix inverse behaviour on text matching
Browse files Browse the repository at this point in the history
rkspx committed Apr 11, 2022

Verified

This commit was signed with the committer’s verified signature.
danharrin Dan Harrin
1 parent fcddc07 commit bfae89c
Showing 2 changed files with 21 additions and 1 deletion.
19 changes: 18 additions & 1 deletion internal/pkg/dsiem/rule/rule.go
Original file line number Diff line number Diff line change
@@ -388,11 +388,12 @@ func isNetAddrMatchCSVRule(rulesInCSV, term string) bool {
// split it into slice of strings, match its value one by one, and returns if one of the value matches.
// otherwose, matchText will do non case-sensitve match for the subject and term.
func matchText(subject, term string) bool {

if isCSV(subject) {
return isStringMatchCSVRule(subject, term)
}

return strings.TrimSpace(strings.ToLower(subject)) == strings.TrimSpace(strings.ToLower(term))
return matchTextNonSensitive(subject, term)
}

// isCSV determines wether the given term is a comma separated list of strings or not.
@@ -402,6 +403,22 @@ func isCSV(term string) bool {
return strings.Contains(term, ",")
}

func matchTextNonSensitive(term1, term2 string) bool {
var inverse bool
if strings.HasPrefix(term1, "!") {
term1 = str.TrimLeftChar(term1)
inverse = true
}

match := strings.TrimSpace(strings.ToLower(term1)) == strings.TrimSpace(strings.ToLower(term2))

if inverse {
return !match
}

return match
}

func isStringMatchCSVRule(rulesInCSV string, term string) (match bool) {
// s is something like stringA, stringB, !stringC, !stringD
sSlice := str.CsvToSlice(rulesInCSV)
3 changes: 3 additions & 0 deletions internal/pkg/dsiem/rule/rule_test.go
Original file line number Diff line number Diff line change
@@ -512,13 +512,16 @@ func TestCustomDataMatch(t *testing.T) {
{"Network Command Shell", "Network Command Shell", true},
{"Network Command Shell", "Network Command Login", false},
{"!Network Command Shell", "Network Command Shell", false},
{"!Network Command Shell", "Network Command Login", true},
{"foo,bar,qux", "foo", true},
{"foo,bar,qux", "bar", true},
{"foo,bar,qux", "qux", true},
{"foo,bar,qux", "baz", false},
{"foo,!bar,qux", "bar", false},
{"foo,bar,!qux", "qux", false},
{"!foo,bar,qux", "foo", false},
{"!foo, foo, bar, qux", "foo", false},
{"foo, !foo, bar, qux", "foo", true},
} {
t.Run(c.ruleCustomData, func(t *testing.T) {
r := DirectiveRule{

0 comments on commit bfae89c

Please sign in to comment.