fix(matchers): fixed windash modifier #1392

Yamato-Security · Aug 10, 2024 · 090e153 · 090e153
1 parent bb3bb6e
commit 090e153
Showing 1 changed file with 22 additions and 2 deletions.
diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs
@@ -618,12 +618,32 @@ impl LeafMatcher for DefaultMatcher {
  FastMatch::StartsWith(s) => Self::starts_with_ignore_case(event_value_str, s),
  FastMatch::EndsWith(s) => Self::ends_with_ignore_case(event_value_str, s),
  FastMatch::Contains(s) | FastMatch::AllOnly(s) => {
- Some(utils::contains_str(&event_value_str.to_lowercase(), s))
+ if self.pipes.contains(&PipeElement::Windash) {
+ Some(utils::contains_str(
+ &event_value_str
+ .replacen(['-', '–', '—', '―'], "/", 1)
+ .to_lowercase(),
+ s,
+ ))
+ } else {
+ Some(utils::contains_str(&event_value_str.to_lowercase(), s))
+ }
  }
  }
  } else {
  Some(fast_matcher.iter().any(|fm| match fm {
- FastMatch::Contains(s) => utils::contains_str(event_value_str, s),
+ FastMatch::Contains(s) => {
+ if self.pipes.contains(&PipeElement::Windash) {
+ utils::contains_str(
+ &event_value_str
+ .replacen(['-', '–', '—', '―'], "/", 1)
+ .to_lowercase(),
+ s,
+ )
+ } else {
+ utils::contains_str(event_value_str, s)
+ }
+ }
  _ => false,
  }))
  };