Skip to content

Commit

Permalink
Merge branch 'main' of https://github.com/SigmaHQ/pySigma
Browse files Browse the repository at this point in the history
  • Loading branch information
thomaspatzke committed Jul 14, 2024
2 parents b722eab + cab496d commit 09fe2ab
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 3 deletions.
7 changes: 4 additions & 3 deletions sigma/filters.py
Original file line number Diff line number Diff line change
Expand Up @@ -188,19 +188,20 @@ def apply_on_rule(
if not self._should_apply_on_rule(rule):
return rule

filter_condition = self.filter.condition[0]
for original_cond_name, condition in self.filter.detections.items():
cond_name = "_filt_" + ("".join(random.choices(string.ascii_lowercase, k=10)))

# Replace each instance of the original condition name with the new condition name to avoid conflicts
self.filter.condition[0] = re.sub(
filter_condition = re.sub(
rf"[^ ]*{original_cond_name}[^ ]*",
cond_name,
self.filter.condition[0],
filter_condition,
)
rule.detection.detections[cond_name] = condition

for i, condition in enumerate(rule.detection.condition):
rule.detection.condition[i] = f"({condition}) and " + f"({self.filter.condition[0]})"
rule.detection.condition[i] = f"({condition}) and " + f"({filter_condition})"

# Reparse the rule to update the parsed conditions
rule.detection.__post_init__()
Expand Down
15 changes: 15 additions & 0 deletions tests/test_filters.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import copy
import uuid
from pathlib import Path
from typing import Callable

Expand Down Expand Up @@ -133,6 +135,19 @@ def test_basic_filter_application_against_correlation_rule(
]


def test_filter_application_to_several_rules(sigma_filter, test_backend, rule_collection):
rule_copy = copy.deepcopy(rule_collection.rules[0])
rule_copy.id = uuid.UUID("257f7780-ea6c-48d4-ae8e-2b95b3740d84")
sigma_filter.filter.rules.append(SigmaRuleReference(str(rule_copy.id)))

rule_collection.rules.extend([rule_copy, sigma_filter])

assert (
test_backend.convert(rule_collection)
== ['(EventID=4625 or EventID2=4624) and not User startswith "adm_"'] * 2
)


def test_reducing_rule_collections(sigma_filter, test_backend, rule_collection):
rule_collection.rules += [sigma_filter]

Expand Down

0 comments on commit 09fe2ab

Please sign in to comment.