From be579910bb2e55a3cbda2261186e0f19476f7267 Mon Sep 17 00:00:00 2001 From: stbe <6388196+stbe@users.noreply.github.com> Date: Mon, 6 Dec 2021 14:23:51 +0100 Subject: [PATCH] Logsource condition applied once in nested expression --- tools/sigma/parser/condition.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 67592c413..88cea01fe 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -516,7 +516,7 @@ class SigmaConditionParser: self.parsedSearch = self.parseSearch(tokens) self.parsedAgg = None - def parseSearch(self, tokens): + def parseSearch(self, tokens, depth=0): """ Iterative parsing of search expression. """ @@ -561,7 +561,7 @@ class SigmaConditionParser: if lPos > rPos: raise SigmaParseError("Closing parentheses at position " + str(rTok.pos) + " precedes opening at position " + str(lTok.pos)) - subparsed = self.parseSearch(tokens[lPos + 1:rPos]) + subparsed = self.parseSearch(tokens[lPos + 1:rPos], depth=depth+1) tokens = tokens[:lPos] + NodeSubexpression(subparsed) + tokens[rPos + 1:] # replace parentheses + expression with group node that contains parsed subexpression # 2. Iterate over all known operators in given precedence @@ -590,13 +590,14 @@ class SigmaConditionParser: raise ValueError("Parse tree must have exactly one start node!") query_cond = tokens[0] - # 4. Integrate conditions from logsources in configurations - ls_cond = self.sigmaParser.get_logsource_condition() - if ls_cond is not None: - cond = ConditionAND() - cond.add(ls_cond) - cond.add(query_cond) - query_cond = cond + # 4. Integrate conditions from logsources in configurations to outermost expression + if depth == 0: + ls_cond = self.sigmaParser.get_logsource_condition() + if ls_cond is not None: + cond = ConditionAND() + cond.add(ls_cond) + cond.add(query_cond) + query_cond = cond return self._optimizer.optimizeTree(query_cond)