From e52f29dda997cdb3fa084555c0cdcaeee6a73a5d Mon Sep 17 00:00:00 2001
From: Maxime Lamothe-Brassard <maxime@refractionpoint.com>
Date: Wed, 30 Oct 2019 15:23:56 -0500
Subject: [PATCH] Fix matches operator field set to value instead of re.

---
 tools/sigma/backends/limacharlie.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py
index 3180e2a83..db68f8829 100644
--- a/tools/sigma/backends/limacharlie.py
+++ b/tools/sigma/backends/limacharlie.py
@@ -292,11 +292,15 @@ class LimaCharlieBackend(BaseBackend):
             mappedFiltered = []
             for k in filtered:
                 op, newVal = self._valuePatternToLcOp(k)
-                mappedFiltered.append({
+                newOp = {
                     "op": op,
                     "path": self._fieldMappingInEffect["keywords"],
-                    "value": newVal,
-                })
+                }
+                if op == "matches":
+                    newOp["re"] = newVal
+                else:
+                    newOp["value"] = newVal
+                mappedFiltered.append(newOp)
             filtered = mappedFiltered
         if 1 == len(filtered):
             return filtered[0]