Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compare two different attributes of a log #102

Open
nofaceinbook opened this issue Nov 5, 2023 · 2 comments
Open

Compare two different attributes of a log #102

nofaceinbook opened this issue Nov 5, 2023 · 2 comments

Comments

@nofaceinbook
Copy link

nofaceinbook commented Nov 5, 2023

I checked now the specification (thank you very much for it), several times, but I don't see a possibility to compare two different attributes of a log file. E.g. you want to check if the sourceIp is equal to destinationIp (not discussing here if this example makes any sense).
If this feature is not yet available I would suggest to allow a new modifier 'field'. In case it is present the value of a search identifier is treated as fieldname. E.g.

selection:
     sourceIp|field: destinationIp    # select flows where sourceIp eqauls destinaitionIp 

Also having the option to compare values with comparison modifiers of the new version like:

selection:
    bytesOut|field|g:  bytesIn   # select flows where more bytes went out than in

And in addition I would also vote for a specifc "not equal" comparison e.g. 'ne' to avoid to have a complicated comparision with two different selections and not-statement for this.

@Res260
Copy link
Contributor

Res260 commented Nov 5, 2023

This modifier exists! However it's in the version 2 of the specification. It's called fieldref: https://github.com/SigmaHQ/sigma-specification/blob/version_2/appendix_modifer.md

@nofaceinbook
Copy link
Author

Great. Thank you very much @Res260 . So I did not read version 2 carefully enough :-)

But I would still recommend to have a not-equal modifier like 'ne' as described above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants