3396414bda
Revert "Wrapped all-modifier result into NodeSubexpression"
...
This reverts commit 1fbd2bba4d
2022-09-09 22:26:13 +02:00
1fbd2bba4d
Wrapped all-modifier result into NodeSubexpression
...
Fixes sigmac splunk backend: Wrong conversion for |contains|all #3443
2022-09-08 17:57:36 +02:00
19dea55e2c
Merge branch 'windash'
2022-09-08 09:34:19 +02:00
32b4a836b8
using deepcopy to clone previous rule
2022-06-16 12:19:14 +08:00
f6ec8de586
Modifier support for conditional expressions
2022-05-02 23:22:16 +02:00
9ee0d29d68
Windash modifier
2022-05-02 00:38:21 +02:00
58dea50656
Fix: Subexpression with OR instead of OR
2022-05-01 23:17:33 +02:00
184b6bb244
Wrapping base64offset modified expansion group into ConditionOR
2022-05-01 23:07:25 +02:00
dd9b41453b
Fixed faulty optimization by removal
...
Fixes #2806
2022-03-15 23:55:13 +01:00
be579910bb
Logsource condition applied once in nested expression
2021-12-06 14:23:51 +01:00
ad647a6ecb
Merge pull request #2240 from Entropy0/bugfix/condition-type-inheritance
...
fix condition token inheritance
2021-11-15 23:43:53 +01:00
cdaefbff69
Merge pull request #2265 from SigmaHQ/fix-ids
...
Additional characters in identifier token
2021-11-15 23:26:28 +01:00
aa47b88326
Merge pull request #2264 from roysjosh/fix-agg-ge-le
...
Fix aggregation GE/LE
2021-11-15 22:51:14 +01:00
068255fc82
Additional characters in identifier token
2021-11-15 22:46:22 +01:00
87f919d0bc
Fix aggregation GE/LE
...
List longest matches first otherwise they will never match.
2021-11-15 15:57:46 -05:00
c7259b6196
fix condition token inheritance
...
Without this fix, isinstance(ConditionOR(), ConditionAND) yields True
2021-11-09 13:19:53 +01:00
900263315a
Added support for free-text search in logsources configuration, enabling usage of splunk macros and ability to optimize the resulting searches.
2021-06-16 14:52:45 +03:00
7ec513f1d0
Fix error when use -< namefile.yml in commandline as I never use it
2021-05-28 12:47:37 +02:00
b3a608599a
Add some fun backend option for es-rule
2021-05-28 10:51:08 +02:00
f4734cd5e5
Merge pull request #1309 from WuerthIT:logsourcemerging
...
functionality for parameter logsourcemerging
2021-03-13 22:25:29 +01:00
7eeed68fb4
Chronicle Security Backend contributed by SOC Prime.
2021-03-12 12:21:44 +02:00
e1f43f17c2
fixed various spelling errors all over rules and source code
2021-02-24 14:43:13 +00:00
6744770768
functionality for parameter logsourcemerging
2020-12-15 09:23:49 +01:00
e9af2fb119
support nested conditions for Sigma
...
The parser finds the close token in pairs with left token.
So the parser will support nested parentheses in the conditions.
2020-08-07 14:58:32 +08:00
dff7efc173
Update collection.py
2020-06-08 13:55:52 +02:00
55c0a03564
Undefined name: from .exceptions import SigmaCollectionParseError
...
Discovered in #378 . `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.
2020-06-08 13:55:16 +02:00
24029a8f27
Fix for broken endswith modifier
2020-05-06 17:10:54 +02:00
2fafff3278
Fixed: escaping of backslashes before added *
...
Fixes issue #722 .
2020-05-02 00:13:15 +02:00
324005a126
[feature] extend es-dsl to support nested aggregations
2019-11-12 11:46:43 +01:00
ef14ee542d
Added modifiers: startswith and endswith
2019-11-05 23:04:13 +01:00
c9eb921f68
ConditionAND/OR constructor now allows arbeitrary number of operands
2019-11-02 22:54:35 +01:00
fc276612b6
Added encoding modifiers
2019-10-16 23:52:06 +02:00
849a5a520d
Conditional field mapping resolve_fieldname now functional
...
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
2019-10-09 23:57:41 +02:00
805c739611
Merge branch 'devel-modifiers'
2019-07-31 23:44:10 +02:00
8a3117d73e
Nested list handling for chained value modifiers
2019-07-16 23:03:19 +02:00
6881967889
Further modifiers
...
* base64
* base64offset
2019-07-16 00:00:35 +02:00
1bb29dca26
Implemented type modifiers and regular expressions
2019-07-15 22:52:10 +02:00
134bfebe57
Ignore "timeframe" detection keyword in "all/any of" conditions
...
Fixes #395
2019-07-13 00:35:35 +02:00
337681cfce
Value modifiers
...
* First transformation modfiers: contains, all
* Sigma converter modifier list
2019-06-30 23:41:28 +02:00
eb022f3908
Conditional field mapping for null values
...
Fixes #326
2019-04-25 23:24:05 +02:00
a9cf14438c
Merge branch 'master' into project-1
2019-01-14 22:36:15 +01:00
aa1a953a65
Moved node dumping code to generic location
2018-11-21 23:22:38 +01:00
26d888aec3
Removed "not null" handling code
...
Feature was removed some time ago.
2018-11-21 22:56:48 +01:00
5053cc4e95
Fixed optimizing of not conditions with subexpressions
...
Optimization pass traversal is cut at ConditionNOT nodes.
2018-11-07 13:54:45 +01:00
a88b1e81ec
Optimizer debugging code cleanup
...
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
2018-11-07 13:49:08 +01:00
42ed8acec9
Improved test coverage
...
* Adding tests
* Removal of coverage measurement for debugging code
2018-11-04 23:28:40 +01:00
e28bc35cad
Apply field mappings in generation of log source condition
2018-10-06 23:38:35 +02:00
fc45df144c
Improve the comments on the optimizer
2018-10-03 13:44:03 +02:00
87aa1b5521
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:24:31 +02:00
d81946df39
Stacked configurations
...
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration
Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
2018-09-12 23:40:22 +02:00
Thomas Patzke