security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add filter not status

Browse Source
This commit is contained in:
frack113
2021-10-28 19:46:36 +02:00
parent 8b86a79ef0
commit e9d163cdd1
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/filter.py
+14
View File
@@ -32,6 +32,7 @@ class SigmaRuleFilter:
self.minlevel = None
self.maxlevel = None
self.status = None
self.notstatus = None
self.tlp = None
self.target = None
self.logsources = list()
@@ -66,6 +67,10 @@ class SigmaRuleFilter:
self.status = cond[cond.index("=") + 1:]
if self.status not in self.STATES:
raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond))
elif cond.startswith("status!="):
self.notstatus = cond[cond.index("=") + 1:]
if self.notstatus not in self.STATES:
raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.notstatus, cond))
elif cond.startswith("tlp="):
self.tlp = cond[cond.index("=") + 1:].upper() #tlp is always uppercase
elif cond.startswith("target="):
@@ -117,6 +122,15 @@ class SigmaRuleFilter:
return False # User wants status restriction, but it's not possible here
if status != self.status:
return False
if self.notstatus is not None:
try:
status = yamldoc['status']
except KeyError: # missing status
return False # User wants status restriction, but it's not possible here
if status == self.notstatus:
return False
# Tlp
if self.tlp is not None: