From 36656c3facb2f149cb5ed30e5a06cf27c49d81cf Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 07:01:50 -0500 Subject: [PATCH] Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match Signed-off-by: Nate Guagenti --- tools/sigma/backends/elasticsearch.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1c8ab23b6..a5b6f3f27 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -421,8 +421,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast queryType = 'wildcard' value_cleaned = self.escapeSlashes(self.cleanValue(str(v))) else: - queryType = 'match_phrase' - value_cleaned = self.cleanValue(str(v)) + if self.containsWildcard(str(v)): + queryType = 'wildcard' + value_cleaned = self.escapeSlashes(self.cleanValue(str(v))) + else: + queryType = 'match_phrase' + value_cleaned = self.cleanValue(str(v)) res['bool']['should'].append({queryType: {key_mapped: value_cleaned}}) return res elif value is None: @@ -442,8 +446,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast queryType = 'wildcard' value_cleaned = self.escapeSlashes(self.cleanValue(str(value))) else: - queryType = 'match_phrase' - value_cleaned = self.cleanValue(str(value)) + if self.containsWildcard(str(value)): + queryType = 'wildcard' + value_cleaned = self.escapeSlashes(self.cleanValue(str(value))) + else: + queryType = 'match_phrase' + value_cleaned = self.cleanValue(str(value)) return {queryType: {key_mapped: value_cleaned}} elif isinstance(value, SigmaRegularExpressionModifier): key_mapped = self.fieldNameMapping(key, value)