Fix sense of multiple regexp in all() function #2014
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Now all regex must match all items.
scudette
added a commit
that referenced
this pull request
Aug 30, 2022
* Refactor of oauth code (#1993) Make cookie and JWT expiry configurable * Send a System.Upload.Completion event on server artifact upload (#1995) * Fixed CSS to make column selector more visible (#1996) * Added new GUI column type for tree (#1997) * Used by process_tracker_tree() to build a process tree * Fixed linux pslist() which was very slow due to including a lot of unnecessary and expensive fields. We now only return the commonly used fields * Collect domain role info on interrogate (#1998) * Collect domain role info on interrogate If populated on check in, domainrole can be used to auto-tag or filter down for certain hunts (ei: Domain controllers) Ref: https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-computersystem#:~:text=workgroup%20is%20returned.-,DomainRole,-Data%20type%3A * Cleaned up domain role lookup and added a notebook suggestion Co-authored-by: Mike Cohen <mike@velocidex.com> * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) I was able to crash Velociraptor by requesting the github authenticator callback URL directly with e.g. curl https://vrrserver/auth/github/callback It turns out that there was no error handling if there is no 'oauthstate' cookie provided as part of the request and we hit a nil pointer dereference panic. The Google and Azure authenticators had the same issue. This commit fixes all three and resolves #1999. * Fixed bug in UserAccessLog artifact (#2008) - IP field was not properly parsed - replaced with a parse_binary() version to ensure backwards compatibility. - By default parse_ese() was using the "file" accessor which in 0.6.5 was changed to not fallback to NTFS parsing. This means that since UAL files are locked, the parser was unable to access them. This PR sets the accessor to be "auto" explicitly thereby forcing the ntfs parsing if needed. * Update UserAccessLogs.yaml (#2009) Added rolename mappings and updated details. * Fixed crash in api_client command (#2010) Also allow the query command to specify an org id. * Capitalize 'i' in config generation output (#2012) * Added all() and any() VQL functions (#2013) This makes it more efficient and simpler to filter by large number of regex without adding a lot of AND clauses to the query. * Fix sense of multiple regexp in all() function (#2014) Now all regex must match all items. * Cater for unknown parents in process tracker. (#2015) When performing a full sync (e.g. pslist), some of the processes have no valid parent at this time (because the parent e.g. exited). We need to mark those unknown parents in case a new process reuses those pids - in this case the process call chain can accidentally include those parents. * Bugix: Raw file accessor had different behaviour on Windows (#2018) * Refactor code to propagate the context in more cases. (#2019) * Refactor code to propagate the context in more cases. * Fixed tests * update to clean up null fields (#2020) * update to clean up null fields * update to clean up null fields tests * Add embedded stager parse usecase (#34) (#2023) * Add embedded stager parse usecase * Add some test fixes * Add test results * Add test fix * Update Linux pslist() to use CommandLine column (#2024) This brings it in line with the same column name on Windows. Also fixed a crash in user_grant() due to insufficient error checking. Fixes: #2022 * Bugfix: Switch GUI to first available org (#2025) When a user is created with no access to the root org, the GUI did not automatically switch the user to their own org. This caused an issue where the user was rejected (because by default they were trying to access the root org) but there was no way to switch even manually to the correct org. This PR updates the user's preferences to the first available org automatically allowing the user to log in and select other orgs manually. * Refactor client monitoring API to use service (#2027) Also made maximum VFS directory size configurable. Fixes: #2005 * Added regex protocols for int, float etc. (#2028) * Bugfix: Maintain field order in sysmon based tracker (#2030) When following ETW the EventData is an unordered map so we need to explicitly build a dict() to maintain consistent ordering. Also fixed bug in USN artifact * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) This caused it to stop emitting rows after a while because it was unable to see new data. * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) fix: upgrade ace-builds from 1.8.1 to 1.9.3 Snyk has created this PR to upgrade ace-builds from 1.8.1 to 1.9.3. See this package in npm: https://www.npmjs.com/package/ace-builds See this project in Snyk: https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr * Prepare for the 0.6.6-rc2 release Co-authored-by: svch0stz <8684257+svch0stz@users.noreply.github.com> Co-authored-by: Jeff Mahoney <jeffm@suse.com> Co-authored-by: baileys20055 <81445894+baileys20055@users.noreply.github.com> Co-authored-by: weslambert <wlambertts@gmail.com> Co-authored-by: Matthew Green <mgreen27@users.noreply.github.com> Co-authored-by: Snyk bot <snyk-bot@snyk.io>
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now all regex must match all items.