security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Logsource condition applied once in nested expression

Browse Source
This commit is contained in:
stbe
2021-12-06 14:23:51 +01:00
parent 4d0eb604af
commit be579910bb
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/parser/condition.py
+10 -9
View File
@@ -516,7 +516,7 @@ class SigmaConditionParser:
self.parsedSearch = self.parseSearch(tokens)
self.parsedAgg = None
def parseSearch(self, tokens):
def parseSearch(self, tokens, depth=0):
"""
Iterative parsing of search expression.
"""
@@ -561,7 +561,7 @@ class SigmaConditionParser:
if lPos > rPos:
raise SigmaParseError("Closing parentheses at position " + str(rTok.pos) + " precedes opening at position " + str(lTok.pos))
subparsed = self.parseSearch(tokens[lPos + 1:rPos])
subparsed = self.parseSearch(tokens[lPos + 1:rPos], depth=depth+1)
tokens = tokens[:lPos] + NodeSubexpression(subparsed) + tokens[rPos + 1:] # replace parentheses + expression with group node that contains parsed subexpression
# 2. Iterate over all known operators in given precedence
@@ -590,13 +590,14 @@ class SigmaConditionParser:
raise ValueError("Parse tree must have exactly one start node!")
query_cond = tokens[0]
# 4. Integrate conditions from logsources in configurations
ls_cond = self.sigmaParser.get_logsource_condition()
if ls_cond is not None:
cond = ConditionAND()
cond.add(ls_cond)
cond.add(query_cond)
query_cond = cond
# 4. Integrate conditions from logsources in configurations to outermost expression
if depth == 0:
ls_cond = self.sigmaParser.get_logsource_condition()
if ls_cond is not None:
cond = ConditionAND()
cond.add(ls_cond)
cond.add(query_cond)
query_cond = cond
return self._optimizer.optimizeTree(query_cond)