security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match

Browse Source 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
This commit is contained in:
Nate Guagenti
2021-01-18 07:01:50 -05:00
parent caf6586928
commit 36656c3fac
1 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/elasticsearch.py
+12 -4
View File
@@ -421,8 +421,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast
queryType = 'wildcard'
value_cleaned = self.escapeSlashes(self.cleanValue(str(v)))
else:
queryType = 'match_phrase'
value_cleaned = self.cleanValue(str(v))
if self.containsWildcard(str(v)):
queryType = 'wildcard'
value_cleaned = self.escapeSlashes(self.cleanValue(str(v)))
else:
queryType = 'match_phrase'
value_cleaned = self.cleanValue(str(v))
res['bool']['should'].append({queryType: {key_mapped: value_cleaned}})
return res
elif value is None:
@@ -442,8 +446,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast
queryType = 'wildcard'
value_cleaned = self.escapeSlashes(self.cleanValue(str(value)))
else:
queryType = 'match_phrase'
value_cleaned = self.cleanValue(str(value))
if self.containsWildcard(str(value)):
queryType = 'wildcard'
value_cleaned = self.escapeSlashes(self.cleanValue(str(value)))
else:
queryType = 'match_phrase'
value_cleaned = self.cleanValue(str(value))
return {queryType: {key_mapped: value_cleaned}}
elif isinstance(value, SigmaRegularExpressionModifier):
key_mapped = self.fieldNameMapping(key, value)