From 30b6db8299732ef5466fbede7d8e998d0a623b60 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Thu, 5 Sep 2019 12:55:10 +0200
Subject: [PATCH] Fixed ES backend keyword field mapping wildcard match pattern

---
 tools/sigma/backends/elasticsearch.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index 35809162b..297de2054 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -35,7 +35,7 @@ class ElasticsearchWildcardHandlingMixin(object):
             ("keyword_field", "keyword", "Keyword sub-field name", None),
             ("keyword_blacklist", None, "Fields that don't have a keyword subfield (wildcards * and ? allowed)", None)
             )
-    reContainsWildcard = re.compile("(?<!\\\\)[*?]").search
+    reContainsWildcard = re.compile("(?:(?<!\\\\)|\\\\\\\\)[*?]").search
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -48,7 +48,8 @@ class ElasticsearchWildcardHandlingMixin(object):
     def containsWildcard(self, value):
         """Determine if value contains wildcard."""
         if type(value) == str:
-            return self.reContainsWildcard(value)
+            res = self.reContainsWildcard(value)
+            return res
         else:
             return False