Comments (2)
@mdazam1942 I encountered different behavior of the Elastic ECS LIKE, here's the summary,
let's say the key is network.protocol
and value is ssh
in there current state of STIX-Shifter, the query [network-traffic:protocols[*] LIKE 's%']
translated into network.transport : s*
which is working correctly and return results.
However, if there are spaces between the terms for example [network-traffic:protocols[*] LIKE 's %']
, it will be translated to network.transport : s *
and return all the results ever exists in the ECS, which is wrong..
in order to solve it we can add "
around the query's value, for example for document with process.command_line
value of taskhostw.exe Logon
, if do the query [process:command_line LIKE 'taskhostw.exe %']
will translate to process.command_line : \"taskhostw.exe *\"
which is also OK.
there problem is that this following fix won't return result now [network-traffic:protocols[*] LIKE 's %']
to network.transport : \"s*\"
returns zero results and doesn't catch ssh
value.
so if we fix one place, we cause an issue on the other. what do you think?
from stix-shifter.
@barvhaim so there's another wildcard character _
that can be used with LIKE operator. just need to handle the space. I wonder using underscore could be useful. never tried it though. pattern may look like this [network-traffic:protocols[*] LIKE 's_%']
from stix-shifter.
Related Issues (20)
- elastic-ecs mapping: consolidate `dll` attributes into `file` SCO
- Correct network-traffic mapping for elasticsearch
- Some connectors are using the cybox:false flag in the to-STIX mapping incorrectly HOT 3
- Infoblox connector should handle wrong host error.
- v5 RestApiClientAsync much slower than v4 RestApiClient and cause connect_timeout HOT 4
- elastic_ecs from mapping has bogus email-addr mapping
- Connector produces empty string and list in json to stix translation
- Elastic-ecs mapping - Email Object HOT 5
- uuid==1.30 in requirements.txt causes syntax errors
- Validation of domain-name:value is extremely slow for certain invalid data HOT 2
- deprecated library on textio
- antlr4 version deprecation
- CrowdStrike connector error failing with a 400 code unless the search returns no records HOT 6
- CLI option stix_2.1 not interpreted HOT 2
- case insensitive support for regex in elastic_ecs
- Increase timeout values in Rest Client HOT 2
- Fix code scanning alert - Flask app is run in debug mode
- Fix code scanning alert - Inefficient regular expression
- case-insensitive bug for items in brackets for elastic_ecs
- Error: stix_shifter_utils.utils.error_response ERROR unsupplied connector name connector error occurred: list index out of range HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stix-shifter.