From e9d163cdd1bbdf30ea4fd1b0fd9782f177b167ce Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 28 Oct 2021 19:46:36 +0200
Subject: [PATCH] add filter not status

---
 tools/sigma/filter.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py
index b99be7c0a..891b3e98b 100644
--- a/tools/sigma/filter.py
+++ b/tools/sigma/filter.py
@@ -32,6 +32,7 @@ class SigmaRuleFilter:
         self.minlevel      = None
         self.maxlevel      = None
         self.status        = None
+        self.notstatus        = None
         self.tlp           = None
         self.target        = None
         self.logsources    = list()
@@ -66,6 +67,10 @@ class SigmaRuleFilter:
                 self.status = cond[cond.index("=") + 1:]
                 if self.status not in self.STATES:
                     raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond))
+            elif cond.startswith("status!="):
+                self.notstatus = cond[cond.index("=") + 1:]
+                if self.notstatus not in self.STATES:
+                    raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.notstatus, cond))
             elif cond.startswith("tlp="):
                 self.tlp = cond[cond.index("=") + 1:].upper()  #tlp is always uppercase
             elif cond.startswith("target="):
@@ -117,6 +122,15 @@ class SigmaRuleFilter:
                 return False    # User wants status restriction, but it's not possible here
             if status != self.status:
                 return False
+        
+        if self.notstatus is not None:
+            try:
+                status = yamldoc['status']
+            except KeyError:    # missing status
+                return False    # User wants status restriction, but it's not possible here
+            if status == self.notstatus:
+                return False
+
 
         # Tlp
         if self.tlp is not None: