Merge pull request #782 from Yamato-Security/add-supported-modifier

chg: add supported modifier (`contains|cased`, `startswith|cased`, `endswith|cased`)
Yamato-Security · Nov 26, 2024 · 2840764 · 2840764
2 parents 0342ae5 + ca50787
commit 2840764
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/doc/SupportedSigmaFieldModifiers.md b/doc/SupportedSigmaFieldModifiers.md
@@ -8,9 +8,11 @@
 | contains                      |          2764 |               21 |
 | containsǀall                  |           977 |                0 |
 | containsǀallǀwindash          |             4 |                0 |
+| containsǀcased                |             0 |                0 |
 | containsǀwindash              |            78 |                0 |
 | endswith                      |          2915 |              271 |
 | endswithfield                 |             0 |                0 |
+| endswithǀcased                |             0 |                0 |
 | endswithǀwindash              |             2 |                0 |
 | equalsfield                   |             0 |                0 |
 | exists                        |             0 |                0 |
@@ -27,6 +29,7 @@
 | reǀm                          |             0 |                0 |
 | reǀs                          |             0 |                0 |
 | startswith                    |           443 |                6 |
+| startswithǀcased              |             0 |                0 |
 | utf16beǀbase64offsetǀcontains |             0 |                0 |
 | utf16leǀbase64offsetǀcontains |             0 |                0 |
 | utf16ǀbase64offsetǀcontains   |             0 |                0 |
@@ -53,5 +56,5 @@
 | temporal_count (with group-by) |             0 |                0 |
 
 This document is being dynamically updated based on the latest rules.  
-Last Update: 2024/11/26  
+Last Update: 2024/11/27  
 Author: Fukusuke Takahashi
diff --git a/scripts/supported_modifiers_check/supported-modifier.py b/scripts/supported_modifiers_check/supported-modifier.py
@@ -62,7 +62,7 @@ def get_yml_detection_counts(dir_path: str) -> (Counter, Counter):
     logging.info('Finished processing YAML files')
 
     sigma_modifiers = [
-        'all', 'startswith', 'endswith', 'contains', 'exists', 'cased', 'windash', 're', 're|i', 're|m', 're|s',
+        'all', 'startswith', 'endswith', 'contains', 'exists', 'cased', "contains|cased", "startswith|cased", "endswith|cased", 'windash', 're', 're|i', 're|m', 're|s',
         'base64', 'base64offset', 'utf16le|base64offset|contains', 'utf16be|base64offset|contains', 'utf16|base64offset|contains', 'wide|base64offset|contains',
         'lt', 'lte', 'gt', 'gte', 'cidr', 'expand', 'fieldref', 'fieldref|startswith', 'fieldref|contains','fieldref|endswith', 'equalsfield', 'endswithfield'
     ]