Merge pull request #207 from SigmaHQ/issue-179

thomaspatzke · web-flow · commit 851321ba01a8 · 2024-03-29T00:58:01.000+01:00
Ignore detections with leading underscore "_" in "of" condition pattern matching
diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
@@ -1,5 +1,6 @@
 # Reformatting by black
 a6b11efb3455b0d13d4d712413052061580d43c4
+6b2893d0a7a7771984937d68d3f0306fe164d94a
 # Set line-length to 100 for black
 17185b23e5d18f0977eaf0f96bd941fb6c8d53f1
 
diff --git a/poetry.lock b/poetry.lock
diff --git a/sigma/conditions.py b/sigma/conditions.py
@@ -179,8 +179,10 @@ class ConditionSelector(ConditionItem):
     def __post_init__(self):
         if self.args[0] in ["1", "any"]:
             self.cond_class = ConditionOR
-        else:
+        elif self.args[0] == "all":
             self.cond_class = ConditionAND
+        else:
+            raise SigmaConditionError("Invalid quantifier in selector", source=self.source)
         self.pattern = self.args[1]
 
     def resolve_referenced_detections(self, detections: "sigma.rule.SigmaDetections") -> List[str]:
@@ -195,7 +197,7 @@ def resolve_referenced_detections(self, detections: "sigma.rule.SigmaDetections"
         return [
             ConditionIdentifier([identifier])
             for identifier in detections.detections.keys()
-            if r.match(identifier)
+            if r.match(identifier) and not identifier.startswith("_")
         ]
 
     def postprocess(
diff --git a/tests/test_conditions.py b/tests/test_conditions.py
@@ -160,6 +160,30 @@ def sigma_invalid_detections():
     )
 
 
+@pytest.fixture
+def sigma_underscore_detections():
+    return SigmaDetections(
+        {
+            "detection_1": SigmaDetection(
+                [
+                    SigmaDetectionItem(None, [], [SigmaString("val1")]),
+                ]
+            ),
+            "detection_2": SigmaDetection(
+                [
+                    SigmaDetectionItem(None, [], [SigmaString("val2")]),
+                ]
+            ),
+            "_detection_3": SigmaDetection(
+                [
+                    SigmaDetectionItem(None, [], [SigmaString("val3")]),
+                ]
+            ),
+        },
+        list(),
+    )
+
+
 def test_or(sigma_simple_detections):
     assert SigmaCondition(
         "detection1 or detection2", sigma_simple_detections
@@ -381,6 +405,20 @@ def test_selector_all_of_them(sigma_simple_detections):
     )
 
 
+def test_selector_underscore_filter(sigma_underscore_detections):
+    assert SigmaCondition("any of them", sigma_underscore_detections).parsed == ConditionOR(
+        [
+            ConditionValueExpression(SigmaString("val1")),
+            ConditionValueExpression(SigmaString("val2")),
+        ]
+    )
+
+
+def test_selector_invalid_quantifier(sigma_simple_detections):
+    with pytest.raises(SigmaConditionError, match="Invalid quantifier"):
+        ConditionSelector("invalid", "them")
+
+
 def test_keyword_detection(sigma_detections):
     assert SigmaCondition("keywords", sigma_detections).parsed == ConditionOR(
         [
