How to check if field value is contained in range or less than/greater than some number

Question

How to check if field value is contained in range or less than/greater than some number

navgeetagrawal-uptycs opened this issue 2 years ago · 1 comments

navgeetagrawal-uptycs commented 2 years ago

Is it possible to write a rule that checks if a value lies in a specified range? Example:

detection:
  selection:
    PORT|range:
      - 1
      - 1024

Also, is it possible to check if a field is less/greater than a number? Example:

detection:
  selection:
    PORT|less_than_equal_to: 32767

Answer 1 · 2023-05-21T07:08:10.000Z

Hello,
With sigma-cli try sigma list modifiers

Modifier	Description
lt	Numeric less than (<) matching.
lte	Numeric less than or equal (<=) matching.
gt	Numeric greater than (>) matching.
gte	Numeric greater than or equal (>=) matching.

For a range you have to make a gt and a lt.
I do not think that many backend can manage a range selection.
In the same time, adding a modify range may add unnecessary complexity.