From 186583f78f3d690840f2269d1e3cbdb460c3b203 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Sun, 1 Aug 2021 16:14:51 +0200
Subject: [PATCH 1/2] fix the output not the core

---
 tools/sigma/backends/elasticsearch.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index 81b367a53..409b0e33e 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -1370,9 +1370,15 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
 
     def finalize(self):
         result = ""
+        rule_lst = []
         for rulename, rule in self.elastalert_alerts.items():
-            result += yaml.dump(rule, default_flow_style=False, width=10000)
-            result += '\n'
+            filter_data = rule['filter']
+            if filter_data in rule_lst:
+                pass
+            else:
+                result += yaml.dump(rule, default_flow_style=False, width=10000)
+                result += '\n'
+                rule_lst.append(filter_data)
         return result
 
 class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend):

From 359dd6bbb86b720d4e792a332c4969ccb78e43dc Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Sun, 1 Aug 2021 19:34:07 +0200
Subject: [PATCH 2/2] fix my code

---
 tools/sigma/backends/elasticsearch.py | 14 ++++----------
 tools/sigma/sigmac.py                 | 28 ++++++++++++++++++++++-----
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index 409b0e33e..b00a11072 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -300,6 +300,7 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca
             return result
         else:
             return super().generateSubexpressionNode(node)
+
 class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend):
     """Converts Sigma rule into Lucene query string for LogRhythm. Only searches, no aggregations."""
     identifier = "es-qs-lr"
@@ -365,8 +366,7 @@ class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, Elasticsea
             return result
         else:
             return super().generateSubexpressionNode(node)
-        
-        
+
 class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend):
     """Converts Sigma rule into EQL."""
     identifier = "es-eql"
@@ -1370,15 +1370,9 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
 
     def finalize(self):
         result = ""
-        rule_lst = []
         for rulename, rule in self.elastalert_alerts.items():
-            filter_data = rule['filter']
-            if filter_data in rule_lst:
-                pass
-            else:
-                result += yaml.dump(rule, default_flow_style=False, width=10000)
-                result += '\n'
-                rule_lst.append(filter_data)
+            result += yaml.dump(rule, default_flow_style=False, width=10000)
+            result += '\n'
         return result
 
 class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend):
diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py
index 50196933b..0da400c2b 100755
--- a/tools/sigma/sigmac.py
+++ b/tools/sigma/sigmac.py
@@ -33,6 +33,7 @@ from sigma.backends.base import BackendOptions
 from sigma.backends.exceptions import BackendError, NotSupportedError, PartialMatchError, FullMatchError
 from sigma.parser.modifiers import modifiers
 import codecs
+import copy
 
 sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
 
@@ -249,11 +250,9 @@ def main():
             parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile)
             results = parser.generate(backend)
             
-            nb_result = len(list(parser.generate(backend)))
-            if nb_result > 1 :
-                inc_filenane = 0
-            else:
-                inc_filenane = None
+            nb_result = len(list(copy.deepcopy(results)))
+            inc_filenane = None if nb_result < 2 else 0
+
             
             newline_separator = '\0' if cmdargs.print0 else '\n'
             for result in results:
@@ -275,6 +274,25 @@ def main():
                         print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
                         exit(ERR_OUTPUT)
                 print(result, file=out, end=newline_separator)
+            
+            if nb_result == 0: # elastalert return "results=[]" so get a error with out not def
+                if not fileprefix == None and not inc_filenane == None: #yml action
+                    try:
+                        filename = fileprefix + str(sigmafile.name)
+                        filename = filename.replace('.yml','_' + str(inc_filenane) + filename_ext)
+                        inc_filenane += 1
+                        out = open(filename, "w", encoding='utf-8')
+                    except (IOError, OSError) as e:
+                        print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
+                        exit(ERR_OUTPUT)
+                elif  not fileprefix == None and inc_filenane == None: # a simple yml
+                    try:
+                        filename = fileprefix + str(sigmafile.name)
+                        filename = filename.replace('.yml',filename_ext) 
+                        out = open(filename, "w", encoding='utf-8')
+                    except (IOError, OSError) as e:
+                        print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
+                        exit(ERR_OUTPUT) 
         
         except OSError as e:
             print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)