From 2a3acd7d119f561bc9f17bac2de6bd4fc2f3ca16 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 19:32:54 +0200 Subject: [PATCH] add selection flag for backward compatibility --- tools/sigma/backends/sql.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index f18cac2fd..b31fba2b8 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -46,7 +46,10 @@ class SQLBackend(SingleTextQueryBackend): options = SingleTextQueryBackend.options + ( ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), + ("selection", False, "Use this option to enable fields selection from Sigma rules.", None), ) + + selection_enabled = False def __init__(self, sigmaconfig, options): @@ -62,6 +65,9 @@ class SQLBackend(SingleTextQueryBackend): else: self.select_fields = list() + if "selection" in options: + self.selection_enabled = True + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -162,13 +168,19 @@ class SQLBackend(SingleTextQueryBackend): # Then add fields specified in the backend configuration fields.extend(self.select_fields) + # In case select is specified in backend option, we want to enable selection + if len(self.select_fields) > 0: + self.selection_enabled = True + # Finally, in case fields is empty, add the default value if not fields: fields = list("*") for parsed in sigmaparser.condparsed: - #query = self.generateQuery(parsed) - query = self._generateQueryWithFields(parsed, fields) + if self.selection_enabled: + query = self._generateQueryWithFields(parsed, fields) + else: + query = self.generateQuery(parsed) before = self.generateBefore(parsed) after = self.generateAfter(parsed)