Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for Sigma v2 |re sub modifiers #1399

Merged
merged 2 commits into from
Aug 16, 2024
Merged

feat: add support for Sigma v2 |re sub modifiers #1399

merged 2 commits into from
Aug 16, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Aug 15, 2024
edited
Loading

What Changed

Test

csv-timeline/json-timeline diff check (compared with main branch)

No difference in the result file compared to the main branch.
https://github.com/Yamato-Security/hayabusa/actions/runs/10411818917

Integration-test

All commands work properly.
https://github.com/Yamato-Security/hayabusa/actions/runs/10411817930

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket self-assigned this Aug 15, 2024
@fukusuket fukusuket added the enhancement New feature or request label Aug 15, 2024
@fukusuket fukusuket added this to the v2.17.0 milestone Aug 15, 2024
@fukusuket fukusuket changed the title feat: add support for Sigma v2 |re sub modifier feat: add support for Sigma v2 |re sub modifiers Aug 15, 2024
@fukusuket
Copy link
Collaborator Author

fukusuket commented Aug 16, 2024
edited
Loading

Test data

There are three mached logs.

% ./hayabusa-2.16.0-mac-aarch64 json-timeline -p super-verbose -f ../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx -e informational -w -q
Start time: 2024/08/16 09:28

Total event log files: 1
Total file size: 69.6 KB

Loading detection rules. Please wait.

Excluded rules: 4,397
Noisy rules: 12 (Disabled)

Deprecated rules: 2 (2.04%) (Disabled)
Experimental rules: 5 (5.10%)
Stable rules: 76 (77.55%)
Test rules: 17 (17.35%)

Hayabusa rules: 83
Sigma rules: 15
Total detection rules: 98

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 1
Detection rules enabled after channel filter: 1

Output profile: super-verbose

Scanning in progress. Please wait.

[00:00:00] 1 / 1   [========================================] 100%

Scanning finished. Please wait while the results are being saved.


{
    "Timestamp": "2021-01-28 18:58:44.538 +09:00",
    "RuleTitle": "PwSh Engine Started",
    "Level": "info",
    "Computer": "DESKTOP-ST69BPO",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RuleAuthor": "Zach Mathis, Fukusuke Takahashi",
    "RuleModifiedDate": "2023/12/02",
    "Status": "test",
    "RecordID": 711,
    "Details": {
        "HostApplication": "powershell calc"
    },
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data": ["Available", "NewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=13\\r\\n\\r\\n\\tHostName=ConsoleHost\\r\\n\\tHostVersion=5.1.18362.145\\r\\n\\tHostId=64821494-0737-4ce9-ad67-3ac0e50a81b8\\r\\n\\tHostApplication=powershell calc\\r\\n\\tEngineVersion=5.1.18362.145\\r\\n\\tRunspaceId=74ae21ca-7fa9-40cc-a265-7a41fdb168a6\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=", "None"],
        "EngineVersion": "5.1.18362.145",
        "HostId": "64821494-0737-4ce9-ad67-3ac0e50a81b8",
        "HostName": "ConsoleHost",
        "HostVersion": "5.1.18362.145",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "74ae21ca-7fa9-40cc-a265-7a41fdb168a6",
        "ScriptName": "",
        "SequenceNumber": 13
    },
    "OtherTags": [
        "PwShClassic"
    ],
    "Provider": "PwrShell",
    "RuleCreationDate": "2023/11/09",
    "RuleFile": "PwShClassic_400_Info_PwShEngineStarted.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx"
}
{
    "Timestamp": "2021-01-28 19:22:26.382 +09:00",
    "RuleTitle": "PwSh Engine Started",
    "Level": "info",
    "Computer": "DESKTOP-ST69BPO",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RuleAuthor": "Zach Mathis, Fukusuke Takahashi",
    "RuleModifiedDate": "2023/12/02",
    "Status": "test",
    "RecordID": 720,
    "Details": {
        "HostApplication": "C:\\Windows\\System32\\sdiagnhost.exe -Embedding"
    },
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data": ["Available", "NewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=22\\r\\n\\r\\n\\tHostName=Default Host\\r\\n\\tHostVersion=5.1.18362.145\\r\\n\\tHostId=00e06fdc-c31b-4d3a-ab93-1324abb766a7\\r\\n\\tHostApplication=C:\\Windows\\System32\\sdiagnhost.exe -Embedding\\r\\n\\tEngineVersion=5.1.18362.145\\r\\n\\tRunspaceId=7d995610-1656-4675-a6fd-458a9f4f8b7c\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=", "None"],
        "EngineVersion": "5.1.18362.145",
        "HostId": "00e06fdc-c31b-4d3a-ab93-1324abb766a7",
        "HostName": "Default Host",
        "HostVersion": "5.1.18362.145",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "7d995610-1656-4675-a6fd-458a9f4f8b7c",
        "ScriptName": "",
        "SequenceNumber": 22
    },
    "OtherTags": [
        "PwShClassic"
    ],
    "Provider": "PwrShell",
    "RuleCreationDate": "2023/11/09",
    "RuleFile": "PwShClassic_400_Info_PwShEngineStarted.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx"
}
{
    "Timestamp": "2021-01-28 19:40:54.884 +09:00",
    "RuleTitle": "PwSh Engine Started",
    "Level": "info",
    "Computer": "DESKTOP-ST69BPO",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RuleAuthor": "Zach Mathis, Fukusuke Takahashi",
    "RuleModifiedDate": "2023/12/02",
    "Status": "test",
    "RecordID": 729,
    "Details": {
        "HostApplication": "n/a"
    },
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data": ["Available", "NewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=2.0\\n\\tHostId=5cbb33bf-acf7-47cc-9242-141cd0ba9f0c\\n\\tEngineVersion=2.0\\n\\tRunspaceId=c6e94dca-0daf-418c-860a-f751a9f2cbe1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=", "None"],
        "EngineVersion": "2.0",
        "HostId": "5cbb33bf-acf7-47cc-9242-141cd0ba9f0c",
        "HostName": "ConsoleHost",
        "HostVersion": "2.0",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "c6e94dca-0daf-418c-860a-f751a9f2cbe1",
        "ScriptName": "",
        "SequenceNumber": 9
    },
    "OtherTags": [
        "PwShClassic"
    ],
    "Provider": "PwrShell",
    "RuleCreationDate": "2023/11/09",
    "RuleFile": "PwShClassic_400_Info_PwShEngineStarted.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx"
}

Rule Authors:

╭──────────────────────────────────────────╮
│ Zach Mathis (1)   Fukusuke Takahashi (1) │
╰─────────────────╌────────────────────────╯

Results Summary:

Events with hits / Total events: 3 / 26 (Data reduction: 23 events (88.46%))

Total | Unique detections: 3 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 3 (100.00%) | 1 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: n/a, informational: 2021-01-28 (3)

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: DESKTOP-ST69BPO (1)

╭──────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ PwSh Engine Started (3)     n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
╰───────────────────────────╌──────────────────╯

@fukusuket
Copy link
Collaborator Author

fukusuket commented Aug 16, 2024
edited
Loading

re|i

https://docs.rs/regex/latest/regex/#grouping-and-flags

i case-insensitive: letters match both upper and lower case

title: Windash TEST
id: 0550d910-7787-4892-9791-c1c6a26ec16a
status: test
author: TEST
logsource:
    product: windows
    category: powershell
detection:
    selection:
        EventID: 400
        Channel: 'Windows PowerShell'
        Data|re|i: "SEQUENCENUMBER=9"
    condition: selection
level: informational
% ./hayabusa json-timeline -p super-verbose -f ../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx -e informational -w -q -r test-i.yml
Start time: 2024/08/16 10:28

Total event log files: 1
Total file size: 69.6 KB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 1
Detection rules enabled after channel filter: 1

Output profile: super-verbose

Scanning in progress. Please wait.

{
    "Timestamp": "2021-01-28 19:40:54.884 +09:00",
    "RuleTitle": "Windash TEST",
    "Level": "info",
    "Computer": "DESKTOP-ST69BPO",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RuleAuthor": "TEST",
    "RuleModifiedDate": "-",
    "Status": "test",
    "RecordID": 729,
    "Details": {},
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data[1]": "Available",
        "Data[2]": "None",
        "Data[3]": "NewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=2.0\\n\\tHostId=5cbb33bf-acf7-47cc-9242-141cd0ba9f0c\\n\\tEngineVersion=2.0\\n\\tRunspaceId=c6e94dca-0daf-418c-860a-f751a9f2cbe1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=",
        "EngineVersion": "2.0",
        "HostId": "5cbb33bf-acf7-47cc-9242-141cd0ba9f0c",
        "HostName": "ConsoleHost",
        "HostVersion": "2.0",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "c6e94dca-0daf-418c-860a-f751a9f2cbe1",
        "ScriptName": "",
        "SequenceNumber": 9
    },
    "Provider": "PwrShell",
    "RuleCreationDate": "-",
    "RuleFile": "test-i.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx"
}
...

Total | Unique detections: 1 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 1 (100.00%) | 1 (0.00%)
...
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Windash TEST (1)            n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
...

@fukusuket
Copy link
Collaborator Author

fukusuket commented Aug 16, 2024
edited
Loading

re|m

https://docs.rs/regex/latest/regex/#grouping-and-flags

m multi-line mode: ^ and $ match begin/end of line

title: Windash TEST
id: 0550d910-7787-4892-9791-c1c6a26ec16a
status: test
author: TEST
logsource:
    product: windows
    category: powershell
detection:
    selection:
        EventID: 400
        Channel: 'Windows PowerShell'
        Data|re|m: "^.SequenceNumber=9$"
    condition: selection
level: informational
% ./hayabusa json-timeline -p super-verbose -f ../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx -e informational -w -q -r test-m.yml
Start time: 2024/08/16 10:19

Total event log files: 1
Total file size: 69.6 KB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 1
Detection rules enabled after channel filter: 1

Output profile: super-verbose

Scanning in progress. Please wait.

{
    "Timestamp": "2021-01-28 19:40:54.884 +09:00",
    "RuleTitle": "Windash TEST",
    "Level": "info",
    "Computer": "DESKTOP-ST69BPO",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RuleAuthor": "TEST",
    "RuleModifiedDate": "-",
    "Status": "test",
    "RecordID": 729,
    "Details": {},
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data[1]": "Available",
        "Data[2]": "None",
        "Data[3]": "NewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=2.0\\n\\tHostId=5cbb33bf-acf7-47cc-9242-141cd0ba9f0c\\n\\tEngineVersion=2.0\\n\\tRunspaceId=c6e94dca-0daf-418c-860a-f751a9f2cbe1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=",
        "EngineVersion": "2.0",
        "HostId": "5cbb33bf-acf7-47cc-9242-141cd0ba9f0c",
        "HostName": "ConsoleHost",
        "HostVersion": "2.0",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "c6e94dca-0daf-418c-860a-f751a9f2cbe1",
        "ScriptName": "",
        "SequenceNumber": 9
    },
    "Provider": "PwrShell",
    "RuleCreationDate": "-",
    "RuleFile": "test-m.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx"
}

...

Total | Unique detections: 1 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 1 (100.00%) | 1 (0.00%)

...

├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Windash TEST (1)            n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │

@fukusuket
Copy link
Collaborator Author

fukusuket commented Aug 16, 2024
edited
Loading

re|s

https://docs.rs/regex/latest/regex/#grouping-and-flags

s allow . to match \n

title: Windash TEST
id: 0550d910-7787-4892-9791-c1c6a26ec16a
status: test
author: TEST
logsource:
    product: windows
    category: powershell
detection:
    selection:
        EventID: 400
        Channel: 'Windows PowerShell'
        Data|re|s: "None...SequenceNumber=9...HostName"
    condition: selection
level: informational
% ./hayabusa json-timeline -p super-verbose -f ../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx -e informational -w -q -r test-s.yml
Start time: 2024/08/16 10:27

Total event log files: 1
Total file size: 69.6 KB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 1
Detection rules enabled after channel filter: 1

Output profile: super-verbose

Scanning in progress. Please wait.

{
    "Timestamp": "2021-01-28 19:40:54.884 +09:00",
    "RuleTitle": "Windash TEST",
    "Level": "info",
    "Computer": "DESKTOP-ST69BPO",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RuleAuthor": "TEST",
    "RuleModifiedDate": "-",
    "Status": "test",
    "RecordID": 729,
    "Details": {},
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data[1]": "Available",
        "Data[2]": "None",
        "Data[3]": "NewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=2.0\\n\\tHostId=5cbb33bf-acf7-47cc-9242-141cd0ba9f0c\\n\\tEngineVersion=2.0\\n\\tRunspaceId=c6e94dca-0daf-418c-860a-f751a9f2cbe1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=",
        "EngineVersion": "2.0",
        "HostId": "5cbb33bf-acf7-47cc-9242-141cd0ba9f0c",
        "HostName": "ConsoleHost",
        "HostVersion": "2.0",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "c6e94dca-0daf-418c-860a-f751a9f2cbe1",
        "ScriptName": "",
        "SequenceNumber": 9
    },
    "Provider": "PwrShell",
    "RuleCreationDate": "-",
    "RuleFile": "test-s.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/ImpairDefenses/T1562.010_DowngradeAttack_PowerShell.evtx"
}
...
Total | Unique detections: 1 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 1 (100.00%) | 1 (0.00%)
...
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Windash TEST (1)            n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
...

@fukusuket fukusuket marked this pull request as ready for review August 16, 2024 01:32
YamatoSecurity
YamatoSecurity approved these changes Aug 16, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks so much for the super quick PR!

@YamatoSecurity YamatoSecurity merged commit be52cf5 into main Aug 16, 2024
5 checks passed
@YamatoSecurity YamatoSecurity deleted the 1396-re-sub-modifier branch August 16, 2024 04:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@hitenkoku hitenkoku hitenkoku approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.17.0
Development

Successfully merging this pull request may close these issues.

Support sigma V2 |re sub-modifiers
3 participants
@fukusuket @hitenkoku @YamatoSecurity