Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Sigma rules creation do not accept IPv6 addresses as value/list when defining a selection map with the modifier CIDR. #1252

Open
rafaelma opened this issue Aug 15, 2024 · 1 comment
Open

[BUG] Sigma rules creation do not accept IPv6 addresses as value/list when defining a selection map with the modifier CIDR. #1252

rafaelma opened this issue Aug 15, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@rafaelma
Copy link

What is the bug?

When creating a sigma rule with a detection criteria that use a Map with Modifier=CIDR, you will get this error message: "[security_analytics_exception] Invalid IPv4 CIDR expression" if the value of the map is an IPv6 address.

How can one reproduce the bug?

Steps to reproduce the behavior:

  1. Go to '[Security Analytics][Detection rules][Create detection rule] page i Opensearch
  2. Define a rule with a detection map that includes for example:
    Key: ip.address
    Modifier: CIDR
    Value: 2a03:2880:f132:83:face:b00c::/96
  3. Press "Create detection rule"
  4. Get this error "[security_analytics_exception] Invalid IPv4 CIDR expression"

What is the expected behavior?

It should work with both IPv4 and IPv6 addresses according to the Sigma rules documentation, ref: https://sigmahq.io/docs/basics/modifiers.html#cidr

What is your host/environment?

  • OS: Red Hat Enterprise Linux release 9.4
  • Version Opensearch 2.15
  • Plugins
# /usr/share/opensearch/bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-cross-cluster-replication
opensearch-custom-codecs
opensearch-flow-framework
opensearch-geospatial
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-ml
opensearch-neural-search
opensearch-notifications
opensearch-notifications-core
opensearch-observability
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-security-analytics
opensearch-skills
opensearch-sql

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

error

Do you have any additional context?

It looks like the implementation of the "Sigma Modifiers" in Opensearch does not support IPv6 addresses with the CIDR modifier if I interpret this code correctly:
https://github.com/opensearch-project/security-analytics/blob/3e1f59d00125f522f565014bb7bd4d8ea8df2d73/src/main/java/org/opensearch/securityanalytics/rules/types/SigmaCIDRExpression.java
@rafaelma rafaelma added bug Something isn't working untriaged labels Aug 15, 2024
@rafaelma rafaelma changed the title [BUG] Sigma rules creation do not accept IPv6 addresses as values/list when defining a selection map with the modifier CIDR. [BUG] Sigma rules creation do not accept IPv6 addresses as value/list when defining a selection map with the modifier CIDR. Aug 15, 2024
@dblock dblock removed the untriaged label Sep 2, 2024
@dblock
Copy link
Member

dblock commented Sep 2, 2024

[Weekly Catch All Triage - 1]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dblock @rafaelma