From e0e571680ccacde1f51c8c5e5656a115fa023174 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 29 Mar 2024 00:19:11 +0100 Subject: [PATCH 1/4] ConditionSelector enforces valid selector --- sigma/conditions.py | 10 ++++++---- tests/test_conditions.py | 5 +++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/sigma/conditions.py b/sigma/conditions.py index 79694281..a4f34e62 100644 --- a/sigma/conditions.py +++ b/sigma/conditions.py @@ -66,9 +66,9 @@ def postprocess( @dataclass class ConditionItem(ParentChainMixin, ABC): arg_count: ClassVar[int] - token_list: ClassVar[bool] = ( - False # determines if the value passed as tokenized is a ParseResult or a simple list object - ) + token_list: ClassVar[ + bool + ] = False # determines if the value passed as tokenized is a ParseResult or a simple list object args: List[ Union[ "ConditionItem", @@ -179,8 +179,10 @@ class ConditionSelector(ConditionItem): def __post_init__(self): if self.args[0] in ["1", "any"]: self.cond_class = ConditionOR - else: + elif self.args[0] == "all": self.cond_class = ConditionAND + else: + raise SigmaConditionError("Invalid quantifier in selector", source=self.source) self.pattern = self.args[1] def resolve_referenced_detections(self, detections: "sigma.rule.SigmaDetections") -> List[str]: diff --git a/tests/test_conditions.py b/tests/test_conditions.py index 8bfb7d56..c36a33c1 100644 --- a/tests/test_conditions.py +++ b/tests/test_conditions.py @@ -381,6 +381,11 @@ def test_selector_all_of_them(sigma_simple_detections): ) +def test_selector_invalid_quantifier(sigma_simple_detections): + with pytest.raises(SigmaConditionError, match="Invalid quantifier"): + ConditionSelector("invalid", "them") + + def test_keyword_detection(sigma_detections): assert SigmaCondition("keywords", sigma_detections).parsed == ConditionOR( [ From de369aedc1b741fa7be6007ed89b5cfea5016ec1 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 29 Mar 2024 00:26:17 +0100 Subject: [PATCH 2/4] of-conditions with pattern matching or "them" ignore detections that start with _ Fixes #179 --- sigma/conditions.py | 2 +- tests/test_conditions.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/sigma/conditions.py b/sigma/conditions.py index a4f34e62..bb654aac 100644 --- a/sigma/conditions.py +++ b/sigma/conditions.py @@ -197,7 +197,7 @@ def resolve_referenced_detections(self, detections: "sigma.rule.SigmaDetections" return [ ConditionIdentifier([identifier]) for identifier in detections.detections.keys() - if r.match(identifier) + if r.match(identifier) and not identifier.startswith("_") ] def postprocess( diff --git a/tests/test_conditions.py b/tests/test_conditions.py index c36a33c1..2b7c4190 100644 --- a/tests/test_conditions.py +++ b/tests/test_conditions.py @@ -160,6 +160,30 @@ def sigma_invalid_detections(): ) +@pytest.fixture +def sigma_underscore_detections(): + return SigmaDetections( + { + "detection_1": SigmaDetection( + [ + SigmaDetectionItem(None, [], [SigmaString("val1")]), + ] + ), + "detection_2": SigmaDetection( + [ + SigmaDetectionItem(None, [], [SigmaString("val2")]), + ] + ), + "_detection_3": SigmaDetection( + [ + SigmaDetectionItem(None, [], [SigmaString("val3")]), + ] + ), + }, + list(), + ) + + def test_or(sigma_simple_detections): assert SigmaCondition( "detection1 or detection2", sigma_simple_detections @@ -381,6 +405,15 @@ def test_selector_all_of_them(sigma_simple_detections): ) +def test_selector_underscore_filter(sigma_underscore_detections): + assert SigmaCondition("any of them", sigma_underscore_detections).parsed == ConditionOR( + [ + ConditionValueExpression(SigmaString("val1")), + ConditionValueExpression(SigmaString("val2")), + ] + ) + + def test_selector_invalid_quantifier(sigma_simple_detections): with pytest.raises(SigmaConditionError, match="Invalid quantifier"): ConditionSelector("invalid", "them") From 6b2893d0a7a7771984937d68d3f0306fe164d94a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 29 Mar 2024 00:43:27 +0100 Subject: [PATCH 3/4] Updated black and reformatted --- poetry.lock | 46 ++++++++++++++++++++++----------------------- sigma/conditions.py | 6 +++--- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/poetry.lock b/poetry.lock index 5c3768ba..1f32d526 100644 --- a/poetry.lock +++ b/poetry.lock @@ -63,33 +63,33 @@ dev = ["freezegun (>=1.0,<2.0)", "pytest (>=6.0)", "pytest-cov"] [[package]] name = "black" -version = "24.1.1" +version = "24.3.0" description = "The uncompromising code formatter." optional = false python-versions = ">=3.8" files = [ - {file = "black-24.1.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:2588021038bd5ada078de606f2a804cadd0a3cc6a79cb3e9bb3a8bf581325a4c"}, - {file = "black-24.1.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:1a95915c98d6e32ca43809d46d932e2abc5f1f7d582ffbe65a5b4d1588af7445"}, - {file = "black-24.1.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2fa6a0e965779c8f2afb286f9ef798df770ba2b6cee063c650b96adec22c056a"}, - {file = "black-24.1.1-cp310-cp310-win_amd64.whl", hash = "sha256:5242ecd9e990aeb995b6d03dc3b2d112d4a78f2083e5a8e86d566340ae80fec4"}, - {file = "black-24.1.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:fc1ec9aa6f4d98d022101e015261c056ddebe3da6a8ccfc2c792cbe0349d48b7"}, - {file = "black-24.1.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:0269dfdea12442022e88043d2910429bed717b2d04523867a85dacce535916b8"}, - {file = "black-24.1.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b3d64db762eae4a5ce04b6e3dd745dcca0fb9560eb931a5be97472e38652a161"}, - {file = "black-24.1.1-cp311-cp311-win_amd64.whl", hash = "sha256:5d7b06ea8816cbd4becfe5f70accae953c53c0e53aa98730ceccb0395520ee5d"}, - {file = "black-24.1.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:e2c8dfa14677f90d976f68e0c923947ae68fa3961d61ee30976c388adc0b02c8"}, - {file = "black-24.1.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a21725862d0e855ae05da1dd25e3825ed712eaaccef6b03017fe0853a01aa45e"}, - {file = "black-24.1.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:07204d078e25327aad9ed2c64790d681238686bce254c910de640c7cc4fc3aa6"}, - {file = "black-24.1.1-cp312-cp312-win_amd64.whl", hash = "sha256:a83fe522d9698d8f9a101b860b1ee154c1d25f8a82ceb807d319f085b2627c5b"}, - {file = "black-24.1.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:08b34e85170d368c37ca7bf81cf67ac863c9d1963b2c1780c39102187ec8dd62"}, - {file = "black-24.1.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:7258c27115c1e3b5de9ac6c4f9957e3ee2c02c0b39222a24dc7aa03ba0e986f5"}, - {file = "black-24.1.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:40657e1b78212d582a0edecafef133cf1dd02e6677f539b669db4746150d38f6"}, - {file = "black-24.1.1-cp38-cp38-win_amd64.whl", hash = "sha256:e298d588744efda02379521a19639ebcd314fba7a49be22136204d7ed1782717"}, - {file = "black-24.1.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:34afe9da5056aa123b8bfda1664bfe6fb4e9c6f311d8e4a6eb089da9a9173bf9"}, - {file = "black-24.1.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:854c06fb86fd854140f37fb24dbf10621f5dab9e3b0c29a690ba595e3d543024"}, - {file = "black-24.1.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3897ae5a21ca132efa219c029cce5e6bfc9c3d34ed7e892113d199c0b1b444a2"}, - {file = "black-24.1.1-cp39-cp39-win_amd64.whl", hash = "sha256:ecba2a15dfb2d97105be74bbfe5128bc5e9fa8477d8c46766505c1dda5883aac"}, - {file = "black-24.1.1-py3-none-any.whl", hash = "sha256:5cdc2e2195212208fbcae579b931407c1fa9997584f0a415421748aeafff1168"}, - {file = "black-24.1.1.tar.gz", hash = "sha256:48b5760dcbfe5cf97fd4fba23946681f3a81514c6ab8a45b50da67ac8fbc6c7b"}, + {file = "black-24.3.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7d5e026f8da0322b5662fa7a8e752b3fa2dac1c1cbc213c3d7ff9bdd0ab12395"}, + {file = "black-24.3.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9f50ea1132e2189d8dff0115ab75b65590a3e97de1e143795adb4ce317934995"}, + {file = "black-24.3.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e2af80566f43c85f5797365077fb64a393861a3730bd110971ab7a0c94e873e7"}, + {file = "black-24.3.0-cp310-cp310-win_amd64.whl", hash = "sha256:4be5bb28e090456adfc1255e03967fb67ca846a03be7aadf6249096100ee32d0"}, + {file = "black-24.3.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:4f1373a7808a8f135b774039f61d59e4be7eb56b2513d3d2f02a8b9365b8a8a9"}, + {file = "black-24.3.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:aadf7a02d947936ee418777e0247ea114f78aff0d0959461057cae8a04f20597"}, + {file = "black-24.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:65c02e4ea2ae09d16314d30912a58ada9a5c4fdfedf9512d23326128ac08ac3d"}, + {file = "black-24.3.0-cp311-cp311-win_amd64.whl", hash = "sha256:bf21b7b230718a5f08bd32d5e4f1db7fc8788345c8aea1d155fc17852b3410f5"}, + {file = "black-24.3.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:2818cf72dfd5d289e48f37ccfa08b460bf469e67fb7c4abb07edc2e9f16fb63f"}, + {file = "black-24.3.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:4acf672def7eb1725f41f38bf6bf425c8237248bb0804faa3965c036f7672d11"}, + {file = "black-24.3.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c7ed6668cbbfcd231fa0dc1b137d3e40c04c7f786e626b405c62bcd5db5857e4"}, + {file = "black-24.3.0-cp312-cp312-win_amd64.whl", hash = "sha256:56f52cfbd3dabe2798d76dbdd299faa046a901041faf2cf33288bc4e6dae57b5"}, + {file = "black-24.3.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:79dcf34b33e38ed1b17434693763301d7ccbd1c5860674a8f871bd15139e7837"}, + {file = "black-24.3.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:e19cb1c6365fd6dc38a6eae2dcb691d7d83935c10215aef8e6c38edee3f77abd"}, + {file = "black-24.3.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:65b76c275e4c1c5ce6e9870911384bff5ca31ab63d19c76811cb1fb162678213"}, + {file = "black-24.3.0-cp38-cp38-win_amd64.whl", hash = "sha256:b5991d523eee14756f3c8d5df5231550ae8993e2286b8014e2fdea7156ed0959"}, + {file = "black-24.3.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:c45f8dff244b3c431b36e3224b6be4a127c6aca780853574c00faf99258041eb"}, + {file = "black-24.3.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:6905238a754ceb7788a73f02b45637d820b2f5478b20fec82ea865e4f5d4d9f7"}, + {file = "black-24.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d7de8d330763c66663661a1ffd432274a2f92f07feeddd89ffd085b5744f85e7"}, + {file = "black-24.3.0-cp39-cp39-win_amd64.whl", hash = "sha256:7bb041dca0d784697af4646d3b62ba4a6b028276ae878e53f6b4f74ddd6db99f"}, + {file = "black-24.3.0-py3-none-any.whl", hash = "sha256:41622020d7120e01d377f74249e677039d20e6344ff5851de8a10f11f513bf93"}, + {file = "black-24.3.0.tar.gz", hash = "sha256:a0c9c4a0771afc6919578cec71ce82a3e31e054904e7197deacbc9382671c41f"}, ] [package.dependencies] diff --git a/sigma/conditions.py b/sigma/conditions.py index bb654aac..74cd809b 100644 --- a/sigma/conditions.py +++ b/sigma/conditions.py @@ -66,9 +66,9 @@ def postprocess( @dataclass class ConditionItem(ParentChainMixin, ABC): arg_count: ClassVar[int] - token_list: ClassVar[ - bool - ] = False # determines if the value passed as tokenized is a ParseResult or a simple list object + token_list: ClassVar[bool] = ( + False # determines if the value passed as tokenized is a ParseResult or a simple list object + ) args: List[ Union[ "ConditionItem", From e2227855aa0bca3b04a941668347b244f1268a22 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 29 Mar 2024 00:45:24 +0100 Subject: [PATCH 4/4] Added black commit to ignored versions for "git blame" --- .git-blame-ignore-revs | 1 + 1 file changed, 1 insertion(+) diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index 17d0939b..d85de356 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -1,5 +1,6 @@ # Reformatting by black a6b11efb3455b0d13d4d712413052061580d43c4 +6b2893d0a7a7771984937d68d3f0306fe164d94a # Set line-length to 100 for black 17185b23e5d18f0977eaf0f96bd941fb6c8d53f1