Support string wildcards (#20)

https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#string-wildcard

Author: jopohl

Cargo.toml

@@ -14,7 +14,6 @@ repository = "https://github.com/jopohl/sigma-rust"
 [dependencies]
 base64 = "0.22.1"
 cidr = "0.3.0"
-glob-match = "0.2.1"
 regex = "1.11.0"
 serde = { version = "1.0.210", features = ["derive"] }
 serde_yml = "0.0.12"
@@ -24,7 +23,11 @@ serde_json = { version = "1.0.132", optional = true }
 
 [dev-dependencies]
 walkdir = "2.5.0"
+criterion = { version = "0.5", features = ["html_reports"] }
 
+[[bench]]
+name = "matching_benchmark"
+harness = false
 
 [features]
 default = ["serde_json"]

README.md

@@ -11,6 +11,8 @@ A Rust library for parsing and evaluating Sigma rules to create custom detection
 
 - Supports the [Sigma condition](https://sigmahq.io/docs/basics/conditions.html) syntax using Pratt parsing
 - Supports all [Sigma field modifiers](https://sigmahq.io/docs/basics/modifiers.html) except `expand`
+- Support
+  for [String wildcards](https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#string-wildcard)
 - Written in 100% safe Rust
 - Daily automated security audit of dependencies
 - Extensive test suite

benches/matching_benchmark.rs

@@ -0,0 +1,62 @@
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+use serde_json::json;
+use sigma_rust::{check_rule, Event, Rule};
+
+fn rule_match_benchmark(c: &mut Criterion) {
+    let rule_yaml = r#"
+title: Rule for benchmarking
+logsource:
+detection:
+    selection_filename_suffix:
+        TargetFilename: ':\temp\'
+        TargetFilename|endswith: .exe
+    selection_image_suffix:
+        Image: ':\temp\'
+    condition: all of them
+        "#;
+
+    let rule: Rule = serde_yml::from_str(rule_yaml).unwrap();
+
+    let event: Event = json!( {
+        "EventID": 4624,
+        "LogName": "Security",
+        "TimeCreated": "2023-10-01T12:34:56.789Z",
+        "EventRecordID": 123456,
+        "Channel": "Security",
+        "Computer": "DESKTOP-1234ABCD",
+        "UserData": {
+            "SubjectUserName": "johndoe",
+            "SubjectDomainName": "WORKGROUP",
+            "SubjectLogonId": "0x123456",
+            "TargetUserName": "johndoe",
+            "TargetDomainName": "WORKGROUP",
+            "TargetLogonId": "0x654321",
+            "LogonType": 2,
+            "LogonProcessName": "User32",
+            "AuthenticationPackageName": "Negotiate",
+            "WorkstationName": "DESKTOP-1234ABCD",
+            "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
+            "TransmittedServices": "-",
+            "LmPackageName": "-",
+            "KeyLength": 0,
+            "ProcessId": 1234,
+            "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
+            "IpAddress": "192.168.1.100",
+            "IpPort": "12345"
+        },
+        "SomeKey": {
+            "SomeValue": "yes"
+        },
+        "TargetFilename": "C:\\temp\\autoit3.exe",
+        "Image": "C:\\temp\\hello.au3"
+    })
+    .try_into()
+    .unwrap();
+
+    c.bench_function("rule_match", |b| {
+        b.iter(|| check_rule(black_box(&rule), black_box(&event)))
+    });
+}
+
+criterion_group!(benches, rule_match_benchmark);
+criterion_main!(benches);

src/basevalue.rs

@@ -0,0 +1,200 @@
+use crate::error::ParserError;
+use std::cmp::Ordering;
+
+#[derive(Debug, Clone)]
+pub enum BaseValue {
+    String(String),
+    Int(i64),
+    Unsigned(u64),
+    Float(f64),
+    Boolean(bool),
+    Null,
+}
+
+impl From<i32> for BaseValue {
+    fn from(i: i32) -> Self {
+        Self::from(i as i64)
+    }
+}
+
+impl From<Option<i32>> for BaseValue {
+    fn from(option: Option<i32>) -> Self {
+        match option {
+            Some(i) => Self::from(i),
+            None => Self::Null,
+        }
+    }
+}
+
+impl From<i64> for BaseValue {
+    fn from(i: i64) -> Self {
+        Self::Int(i)
+    }
+}
+
+impl From<u32> for BaseValue {
+    fn from(u: u32) -> Self {
+        Self::from(u as u64)
+    }
+}
+
+impl From<u64> for BaseValue {
+    fn from(u: u64) -> Self {
+        Self::Unsigned(u)
+    }
+}
+
+impl From<f32> for BaseValue {
+    fn from(f: f32) -> Self {
+        Self::from(f as f64)
+    }
+}
+
+impl From<f64> for BaseValue {
+    fn from(f: f64) -> Self {
+        Self::Float(f)
+    }
+}
+
+impl From<bool> for BaseValue {
+    fn from(b: bool) -> Self {
+        Self::Boolean(b)
+    }
+}
+
+impl From<String> for BaseValue {
+    fn from(s: String) -> Self {
+        Self::String(s)
+    }
+}
+
+impl From<&str> for BaseValue {
+    fn from(s: &str) -> Self {
+        Self::from(s.to_string())
+    }
+}
+
+impl PartialEq for BaseValue {
+    fn eq(&self, other: &Self) -> bool {
+        match (self, other) {
+            (Self::String(a), Self::String(b)) => a.eq(b),
+            (Self::Int(a), Self::Int(b)) => a.eq(b),
+            (Self::Unsigned(a), Self::Unsigned(b)) => a.eq(b),
+            (Self::Float(a), Self::Float(b)) => a.eq(b),
+            (Self::Boolean(a), Self::Boolean(b)) => a.eq(b),
+            (Self::Null, Self::Null) => true,
+            _ => false,
+        }
+    }
+}
+
+impl PartialOrd for BaseValue {
+    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
+        match (self, other) {
+            (Self::String(a), Self::String(b)) => a.partial_cmp(b),
+            (Self::Int(a), Self::Int(b)) => a.partial_cmp(b),
+            (Self::Unsigned(a), Self::Unsigned(b)) => a.partial_cmp(b),
+            (Self::Float(a), Self::Float(b)) => a.partial_cmp(b),
+            (Self::Boolean(a), Self::Boolean(b)) => a.partial_cmp(b),
+            (Self::Null, Self::Null) => Some(Ordering::Equal),
+            _ => None,
+        }
+    }
+}
+
+impl BaseValue {
+    pub(crate) fn value_to_string(&self) -> String {
+        match self {
+            Self::String(s) => s.to_string(),
+            Self::Int(i) => i.to_string(),
+            Self::Float(f) => f.to_string(),
+            Self::Unsigned(u) => u.to_string(),
+            Self::Boolean(b) => b.to_string(),
+            Self::Null => "".to_string(),
+        }
+    }
+}
+
+macro_rules! number {
+    ($n:expr) => {
+        if let Some(i) = $n.as_i64() {
+            Ok(Self::Int(i))
+        } else if let Some(u) = $n.as_u64() {
+            Ok(Self::Unsigned(u))
+        } else {
+            Ok(Self::Float(
+                $n.as_f64().expect("Number is neither Int nor Unsigned"),
+            ))
+        }
+    };
+}
+
+#[cfg(feature = "serde_json")]
+impl TryFrom<serde_json::Value> for BaseValue {
+    type Error = crate::error::JSONError;
+
+    fn try_from(value: serde_json::Value) -> Result<Self, Self::Error> {
+        match value {
+            serde_json::Value::String(s) => Ok(Self::String(s)),
+            serde_json::Value::Number(n) => number!(n),
+            serde_json::Value::Bool(b) => Ok(Self::Boolean(b)),
+            serde_json::Value::Null => Ok(Self::Null),
+            _ => Err(Self::Error::InvalidFieldValue(format!("{:?}", value))),
+        }
+    }
+}
+
+impl TryFrom<serde_yml::Value> for BaseValue {
+    type Error = ParserError;
+
+    fn try_from(value: serde_yml::Value) -> Result<Self, Self::Error> {
+        match value {
+            serde_yml::Value::Bool(b) => Ok(Self::Boolean(b)),
+            serde_yml::Value::Number(n) => number!(n),
+            serde_yml::Value::String(s) => Ok(Self::String(s)),
+            serde_yml::Value::Null => Ok(Self::Null),
+            _ => Err(ParserError::InvalidYAML(format!("{:?}", value))),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[allow(clippy::neg_cmp_op_on_partial_ord)]
+    #[test]
+    fn test_field_value_type() {
+        assert_eq!(BaseValue::from("1"), BaseValue::String("1".to_string()));
+        assert_eq!(BaseValue::from("2"), BaseValue::String("2".to_string()));
+        assert_eq!(BaseValue::from(Some(42)), BaseValue::Int(42));
+        assert_eq!(BaseValue::from(2u32), BaseValue::Unsigned(2));
+        assert_eq!(BaseValue::from(3f32), BaseValue::Float(3.0));
+        assert_ne!(BaseValue::from("1"), BaseValue::from("3"));
+        assert_ne!(BaseValue::from("2"), BaseValue::Int(2_i64));
+        assert_ne!(BaseValue::Int(3), BaseValue::Float(3.0));
+
+        assert!(BaseValue::Int(10) < BaseValue::Int(20));
+        assert!(!(BaseValue::Int(20) < BaseValue::from("30")));
+        assert!(!(BaseValue::Int(20) < BaseValue::Float(30.0)));
+        assert!(!(BaseValue::Int(34) < BaseValue::Float(30.0)));
+        assert!(BaseValue::Boolean(false) < BaseValue::Boolean(true));
+        assert!(BaseValue::Int(10) >= BaseValue::Int(10));
+        assert!(BaseValue::Int(10) > BaseValue::Int(4));
+        assert!(BaseValue::Int(10) >= BaseValue::Int(4));
+        assert!(
+            BaseValue::from(18446744073709551615_u64) > BaseValue::from(18446744073709551614_u64)
+        );
+        assert_eq!(
+            BaseValue::from(18446744073709551615_u64),
+            BaseValue::from(18446744073709551615_u64)
+        );
+
+        let yaml = r#"
+        EventID: 18446744073709551615
+"#;
+        let v: serde_yml::Value = serde_yml::from_str(yaml).unwrap();
+        let base_value = BaseValue::try_from(v["EventID"].clone()).unwrap();
+        assert_eq!(base_value, BaseValue::Unsigned(18446744073709551615));
+    }
+}

src/detection.rs

@@ -5,7 +5,7 @@ use crate::detection::ast::Ast;
 use crate::error::ParserError;
 use crate::event::Event;
 use crate::selection::Selection;
-use glob_match::glob_match;
+use crate::wildcard::match_tokenized;
 use serde::Deserialize;
 use serde_yml::Value;
 use std::collections::HashMap;
@@ -121,7 +121,7 @@ impl Detection {
             Ast::OneOf(s) => self
                 .selections
                 .keys()
-                .filter(|name| glob_match(s, name))
+                .filter(|name| match_tokenized(s, name, false))
                 .any(|name| self.evaluate_selection(name, lookup, event)),
             Ast::OneOfThem => self
                 .selections
@@ -130,7 +130,7 @@ impl Detection {
             Ast::AllOf(s) => self
                 .selections
                 .keys()
-                .filter(|name| glob_match(s, name))
+                .filter(|name| match_tokenized(s, name, false))
                 .all(|name| self.evaluate_selection(name, lookup, event)),
             Ast::AllOfThem => self
                 .selections
@@ -242,15 +242,15 @@ mod tests {
     #[test]
     fn test_evaluate_all_of() {
         let detection_yaml = r#"
-    selection_1:
+    selection_1x:
         EventID: 6416
         RandomID|contains:
             - ab
             - cd
             - ed
-    selection_2:
+    selection_2x:
         EventID: 5555
-    condition: all of selection*
+    condition: all of sel*tion*x
 "#;
 
         let mut event = Event::from([("EventID", 6416)]);