[sigmac] [splunk] Unescaped . in query

[phantinuss]

Hi,

I think .s should be escaped in Splunk searches.

I create a query:

sigmac -t splunk -c tools/config/splunk-windows.yml rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml
((((ParentCommandLine="*cmd*" ParentCommandLine="*/c*" CommandLine="*/../../*")) NOT (((CommandLine="*\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java*")))))

and paste it to Splunk and start the search and the dots are removed:

When I escape the dots with \ the query seems to be functional

[phantinuss]

Or maybe the / is the character which has to be escaped?

[thomaspatzke]

Just verified here, same behavior. Agreed, this must be fixed.

[frack113]

Find this https://research.splunk.com/application/dfe55688-82ed-4d24-a21b-ed8f0e0fda99/
search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"

[nasbench]

There is no mention of the dot or forward slash as characters that need to be escaped in an SPL search query. See here

[phantinuss]

As you can see in the screenshot of the first post it is an issue, documented or not. And the solution to escape / will work at least in all the cases I tested. Adding an unneeded but valid escape shouldn't break things. And in some cases (see first screenshot) it is needed.

[thomaspatzke]

Seem to have disappeared in Splunk 9.x.