Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault when matching detection with a % symbol #17

Open
veramine opened this issue Sep 3, 2022 · 2 comments
Open

Segfault when matching detection with a % symbol #17

veramine opened this issue Sep 3, 2022 · 2 comments

Comments

@veramine
Copy link
Contributor

veramine commented Sep 3, 2022

I'm using sigma-go along with the public Sigma process_creation rules and found several that segfault like this:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1025aca1c]

goroutine 1 [running]:
github.com/bradleyjkemp/sigma-go/evaluator.(*RuleEvaluator).getMatcherValues(0x140001ed3f8, {0x102639b78, 0x14000116000}, {{0x1400012c318, 0xb}, {0x1400013bf30, 0x1, 0x1}, {0x1400013bf40, 0x2, ...}})
	/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate_search.go:141 +0x1fc
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.evaluateSearch({{{0x1400012c2e8, 0x13}, {{0x14000117760, 0x10}, {0x14000117740, 0x7}, {0x0, 0x0}, {0x0, 0x0}}, ...}, ...}, ...)
	/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate_search.go:121 +0x184
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.Matches({{{0x1400012c2e8, 0x13}, {{0x14000117760, 0x10}, {0x14000117740, 0x7}, {0x0, 0x0}, {0x0, 0x0}}, ...}, ...}, ...)
	/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate.go:102 +0x148
main.main()
	/Users/jness/v/onprem/src/veramine.com/cmd/util/sigmatest/main.go:105 +0x4f8

These two rules in particular:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml

Notice that both these rules are looking for fields with a %. When I remove those %s, it no longer segfaults.

    CommandLine|contains:
      - '\System32\'
      - '%System%'

        CommandLine|contains: 
            - 'C:\Users\Public\'
            - '%public%'
            - '\Desktop\'
@bradleyjkemp
Copy link
Owner

Ah excellent timing, I think 5321737 actually fixes this (or at least downgrades it to an error)

The underlying cause is sigma-go thinking %public% is a placeholder (which I think it is?) but not having any way to expand that.

Better default behaviour might be to just assume all placeholders are empty but for know you can do this yourself using the WithPlaceholderExpander option:

sigma-go/evaluator/options.go

Line 29 in 5321737

func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option {

@veramine
Copy link
Contributor Author

veramine commented Sep 5, 2022

Yep that worked fine, thanks!

	//r := evaluator.ForRule(rule, evaluator.WithConfig(config))
	r := evaluator.ForRule(rule, evaluator.WithConfig(config), evaluator.WithPlaceholderExpander(func(ctx context.Context, placeholderName string) ([]string, error) {
		return nil, nil
	}))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bradleyjkemp @veramine