From bb758bdb0fefd337d88838375838d2a42a8af440 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Wed, 20 Oct 2021 21:20:04 +0200
Subject: [PATCH] manage start end regex

---
 tools/sigma/backends/elasticsearch.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index ab48a9e16..1ed69e2ce 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -153,6 +153,15 @@ class ElasticsearchWildcardHandlingMixin(object):
         elif type(value) == list:
             return self.generateMapItemListNode(transformed_fieldname, value)
         elif isinstance(value, SigmaTypeModifier):
+            #On elastic can not use ^ or $ re is full match 
+            if isinstance(value,sigma.parser.modifiers.type.SigmaRegularExpressionModifier):
+                the_regex = value.value
+                if the_regex[0]=="^" and the_regex[-1]=="$":
+                    value.value = the_regex[1:-1]
+                elif the_regex[0]=="^":
+                    value.value = the_regex[1:] if the_regex[-2:] == ".*" else the_regex[1:] + ".*"
+                elif the_regex[-1]=="$":
+                    value.value = the_regex[:-1] if the_regex[:2] == ".*" else  ".*" +the_regex[:-1] 
             return self.generateMapItemTypedNode(transformed_fieldname, value)
         elif value is None:
             return self.nullExpression % (transformed_fieldname, )