Segfault when matching detection with a % symbol #17
Description
I'm using sigma-go along with the public Sigma process_creation rules and found several that segfault like this:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1025aca1c]
goroutine 1 [running]:
github.com/bradleyjkemp/sigma-go/evaluator.(*RuleEvaluator).getMatcherValues(0x140001ed3f8, {0x102639b78, 0x14000116000}, {{0x1400012c318, 0xb}, {0x1400013bf30, 0x1, 0x1}, {0x1400013bf40, 0x2, ...}})
/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate_search.go:141 +0x1fc
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.evaluateSearch({{{0x1400012c2e8, 0x13}, {{0x14000117760, 0x10}, {0x14000117740, 0x7}, {0x0, 0x0}, {0x0, 0x0}}, ...}, ...}, ...)
/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate_search.go:121 +0x184
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.Matches({{{0x1400012c2e8, 0x13}, {{0x14000117760, 0x10}, {0x14000117740, 0x7}, {0x0, 0x0}, {0x0, 0x0}}, ...}, ...}, ...)
/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate.go:102 +0x148
main.main()
/Users/jness/v/onprem/src/veramine.com/cmd/util/sigmatest/main.go:105 +0x4f8
These two rules in particular:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml
Notice that both these rules are looking for fields with a %. When I remove those %s, it no longer segfaults.
CommandLine|contains:
- '\System32\'
- '%System%'
CommandLine|contains:
- 'C:\Users\Public\'
- '%public%'
- '\Desktop\'