Changed to not use Lookahead regex
#4964
Conversation
Lookahead regex
Regex compile testI tested on regex101. Rust
Java
.NET(C#)
Python
PCRE2
|
Regex compile testGolangSince regex101 does not correctly check Golang regex containing backquotes, I wrote a simple script to check (Backslash escaping is required, so after manually adding) https://go.dev/play/p/UW4ADHQHpmm 
|
Lookahead regexLookahead regex
|
Sorry, I noticed that this pull request needs a little more improvement, so I'll fix it. |
|
Converting this case to a rule without lookahead is difficult... I tried to deal with it by filtering out FYI: Golang
Rust: We are very grateful for the Sigma project :) |
|
This is indeed a difficult case (especially for scriptblock). We'll accept the blindspot for now, until we can find a better solution. I will add a test for lookahead usage in regex, to avoid this in the future. Thanks for the quick fix. |
Summary of the Pull Request
Since lookahead(and lookbehind) regex are not supported in Golang or Rust,
I replaced the lookahead regex
with simplecontainslogic as follows.before(lookahead regex):(?=.*`)after(contains logic):|contains: '`'FYI: #4526
I think it's difficult to support regex for all languages...,
but I think it might be better to use more supported regex as much as possible.
Changelog
fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex
fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex
Example Log Event
N/A
Fixed Issues
Golang
https://go.dev/play/p/YjkmggquHlV
Rust
SigmaHQ Rule Creation Conventions