Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Temporal Proximity correlation #1446

Closed
YamatoSecurity opened this issue Oct 14, 2024 · 3 comments · Fixed by #1532
Closed

Support Temporal Proximity correlation #1446

YamatoSecurity opened this issue Oct 14, 2024 · 3 comments · Fixed by #1532
Assignees
Labels
enhancement New feature or request

Comments

@YamatoSecurity
Copy link
Collaborator

YamatoSecurity commented Oct 14, 2024

Support Temporal Proximity correlation

https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-correlation-rules-specification.md#temporal-proximity-temporal

Reference: https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527

Sample rule from blog:

title: CVE-2023-22518 Exploit Chain
description: Access to endpoint vulnerable to CVE-2023-22518 with suspicious process creation.
status: experimental
correlation:
    type: temporal
    rules:
        - a902d249-9b9c-4dc4-8fd0-fbe528ef965c
        - 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
    group-by:
        - Computer
    timespan: 10s
level: high

(Note: when testing you can use any two rules that find two different events within a short period of time.)

I think this is similar to the count rules we already have but instead of treating multiple rules as OR, we treat them as AND. And then we ignore the part about aggregating fields, so should actually be easier to implement. 😄 (Well, except for filtering to check if they have certain same fields, defined by group-by)

@fukusuket I think this one will be very easy for you, so I will assign you. 😉

@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Oct 14, 2024
@YamatoSecurity YamatoSecurity modified the milestones: 3.0.0, v3.0 Oct 14, 2024
@fukusuket
Copy link
Collaborator

@YamatoSecurity
Thank you for the assignment! Yes, I would love to implement it!!💪

@fukusuket
Copy link
Collaborator

fukusuket commented Dec 9, 2024

It seems that a simple OR -> AND change may not be enough, and may be a bit difficult ... 🤔
(The reason is that multiple reference rules cannot simply be converted into a single selection block)

Current impl memo

Current Data Struct

pub struct RuleNode {
pub rulepath: String,
pub yaml: Yaml,
detection: DetectionNode,
countdata: HashMap<String, Vec<AggRecordTimeInfo>>,
}

struct DetectionNode {
pub name_to_selection: HashMap<String, Arc<Box<dyn SelectionNode>>>,
pub condition: Option<Box<dyn SelectionNode>>,
pub aggregation_condition: Option<AggregationParseInfo>,
pub timeframe: Option<TimeFrameInfo>,
}

pub struct AggResult {
/// countなどの値
pub data: i64,
/// count byで指定された条件のレコード内での値
pub key: String,
/// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる
pub field_values: Vec<String>,
///検知したブロックの最初のレコードの時間
pub start_timedate: DateTime<Utc>,
///検知したブロックのレコードの全時間とEventID
pub agg_record_time_info: Vec<AggRecordTimeInfo>,
}

#[derive(Debug, Clone, PartialEq, Eq, Default)]
/// countの括弧内の情報とレコードの情報を所持する構造体
pub struct AggRecordTimeInfo {
pub field_value: String,
pub time: DateTime<Utc>,
pub event_id: String,
pub computer: String,
pub channel: String,
pub evtx_file_path: String,
}
#[derive(Debug)]
/// timeframeに設定された情報。SIGMAルール上timeframeで複数の単位(日、時、分、秒)が複合で記載されているルールがなかったためタイプと数値のみを格納する構造体
pub struct TimeFrameInfo {
pub timetype: String,
pub timenum: Result<i64, ParseIntError>,
}

Current sequence

@fukusuket
Copy link
Collaborator

fukusuket commented Dec 12, 2024

New impl memo

New Data Struct

  • Detection
    • rules: List(RuleNode)
    • temporalRules: List(TemporalRuleNode)
  • RuleNode
    • temporal_ref_id: String(UUID)
    • count_data: HashMap<String, AggRecordTimeInfo>
    • output:bool
  • TemporalRuleNode
    • ref_rule_ids: List(String(UUID))
    • time_frame
    • fn judge_satisfy_temporal_condition(count_data:HashMap<uuid, AggRecordTimeInfo>)

New Sequence

DetectionProcess

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants