Skip to content

Commit

Permalink
add csv checking for custom data matching
Browse files Browse the repository at this point in the history
  • Loading branch information
@rkspx
rkspx committed Apr 11, 2022
1 parent a5eec67 commit fcddc07
Showing 1 changed file with 22 additions and 4 deletions.
26 changes: 22 additions & 4 deletions internal/pkg/dsiem/rule/rule.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,15 @@ func customDataCheck(e event.NormalizedEvent, r DirectiveRule, s *StickyDiffData

var r1, r2, r3 = true, true, true
if r.CustomData1 != "" && r.CustomData1 != "ANY" {
r1 = isStringMatchCSVRule(r.CustomData1, e.CustomData1)
r1 = matchText(r.CustomData1, e.CustomData1)
}
if r.CustomData2 != "" && r.CustomData2 != "ANY" {
r2 = isStringMatchCSVRule(r.CustomData2, e.CustomData2)
r2 = matchText(r.CustomData2, e.CustomData2)
}
if r.CustomData3 != "" && r.CustomData3 != "ANY" {
r3 = isStringMatchCSVRule(r.CustomData3, e.CustomData3)
r3 = matchText(r.CustomData3, e.CustomData3)
}

switch {
case r.StickyDiff == "CUSTOM_DATA1":
_ = isStringStickyDiff(e.CustomData1, s)
Expand Down Expand Up @@ -323,7 +324,6 @@ func isIntStickyDiff(v int, r *StickyDiffData) (match bool) {
}

func isNetAddrMatchCSVRule(rulesInCSV, term string) bool {

// s is something like stringA, stringB, !stringC, !stringD
sSlice := str.CsvToSlice(rulesInCSV)

Expand Down Expand Up @@ -384,6 +384,24 @@ func isNetAddrMatchCSVRule(rulesInCSV, term string) bool {
return match
}

// matchText match the given term against the subject, if the subject is a comma-separated-values,
// split it into slice of strings, match its value one by one, and returns if one of the value matches.
// otherwose, matchText will do non case-sensitve match for the subject and term.
func matchText(subject, term string) bool {
if isCSV(subject) {
return isStringMatchCSVRule(subject, term)
}

return strings.TrimSpace(strings.ToLower(subject)) == strings.TrimSpace(strings.ToLower(term))
}

// isCSV determines wether the given term is a comma separated list of strings or not.
// FIXME: this is currently implemented by checking if the term contains comma character ",", which
// can cause misbehave if the term is actually a non-csv long string that contains comma character.
func isCSV(term string) bool {
return strings.Contains(term, ",")
}

func isStringMatchCSVRule(rulesInCSV string, term string) (match bool) {
// s is something like stringA, stringB, !stringC, !stringD
sSlice := str.CsvToSlice(rulesInCSV)
Expand Down

0 comments on commit fcddc07

Please sign in to comment.