You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a sigma rule with a detection criteria that use a Map with Modifier=CIDR, you will get this error message: "[security_analytics_exception] Invalid IPv4 CIDR expression" if the value of the map is an IPv6 address.
How can one reproduce the bug?
Steps to reproduce the behavior:
Go to '[Security Analytics][Detection rules][Create detection rule] page i Opensearch
Define a rule with a detection map that includes for example:
Key: ip.address
Modifier: CIDR
Value: 2a03:2880:f132:83:face:b00c::/96
Press "Create detection rule"
Get this error "[security_analytics_exception] Invalid IPv4 CIDR expression"
rafaelma
changed the title
[BUG] Sigma rules creation do not accept IPv6 addresses as values/list when defining a selection map with the modifier CIDR.
[BUG] Sigma rules creation do not accept IPv6 addresses as value/list when defining a selection map with the modifier CIDR.
Aug 15, 2024
What is the bug?
When creating a sigma rule with a detection criteria that use a Map with Modifier=CIDR, you will get this error message: "[security_analytics_exception] Invalid IPv4 CIDR expression" if the value of the map is an IPv6 address.
How can one reproduce the bug?
Steps to reproduce the behavior:
Key: ip.address
Modifier: CIDR
Value: 2a03:2880:f132:83:face:b00c::/96
What is the expected behavior?
It should work with both IPv4 and IPv6 addresses according to the Sigma rules documentation, ref: https://sigmahq.io/docs/basics/modifiers.html#cidr
What is your host/environment?
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
It looks like the implementation of the "Sigma Modifiers" in Opensearch does not support IPv6 addresses with the CIDR modifier if I interpret this code correctly:
https://github.com/opensearch-project/security-analytics/blob/3e1f59d00125f522f565014bb7bd4d8ea8df2d73/src/main/java/org/opensearch/securityanalytics/rules/types/SigmaCIDRExpression.java
The text was updated successfully, but these errors were encountered: