From a7ffb96b6b164e2ed2e9f958d07a0abe00c8501c Mon Sep 17 00:00:00 2001
From: Nate Guagenti <neu5ron@users.noreply.github.com>
Date: Tue, 25 Aug 2020 13:10:25 -0400
Subject: [PATCH] elasticsearch regex escape of '.' for case insensitivity
 backend options

Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
---
 tools/sigma/backends/elasticsearch.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index 6667a79d0..115f31bfd 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -217,6 +217,8 @@ class ElasticsearchWildcardHandlingMixin(object):
             #value = re.sub( r"((?<!\\)(\\))\*$", "\g<1>\\*", value )
             # Make upper/lower
             value = re.sub( r"[A-Za-z]", lambda x: "[" + x.group( 0 ).upper() + x.group( 0 ).lower() + "]", value )
+            # Turn `.` into wildcard, only if odd number of '\'(because this would mean already escaped)
+            value = re.sub( r"(((?<!\\)(\\\\)+)|(?<!\\))\.", "\g<1>\.", value )
             # Turn `*` into wildcard, only if odd number of '\'(because this would mean already escaped)
             value = re.sub( r"(((?<!\\)(\\\\)+)|(?<!\\))\*", "\g<1>.*", value )
             # Escape additional values that are treated as specific "operators" within Elastic. (ie: @, ?, &, <, >, and ~)