-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changed to not use Lookahead
regex
#4964
Changed to not use Lookahead
regex
#4964
Conversation
Lookahead
regex
Regex compile testI tested on regex101. RustJava.NET(C#)PythonPCRE2 |
Regex compile testGolangSince regex101 does not correctly check Golang regex containing backquotes, I wrote a simple script to check (Backslash escaping is required, so after manually adding) https://go.dev/play/p/UW4ADHQHpmm |
Lookahead
regexLookahead
regex
Sorry, I noticed that this pull request needs a little more improvement, so I'll fix it. |
Converting this case to a rule without lookahead is difficult... I tried to deal with it by filtering out FYI: Golang
Rust: We are very grateful for the Sigma project :) |
This is indeed a difficult case (especially for scriptblock). We'll accept the blindspot for now, until we can find a better solution. I will add a test for lookahead usage in regex, to avoid this in the future. Thanks for the quick fix. |
Summary of the Pull Request
Since lookahead(and lookbehind) regex are not supported in Golang or Rust,
I replaced the lookahead regex
with simplecontains
logic as follows.before(lookahead regex):(?=.*`)
after(contains logic):|contains: '`'
FYI: #4526
I think it's difficult to support regex for all languages...,
but I think it might be better to use more supported regex as much as possible.
Changelog
fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex
fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex
Example Log Event
N/A
Fixed Issues
Golang
https://go.dev/play/p/YjkmggquHlV
Rust
SigmaHQ Rule Creation Conventions