Skip to content

Commit

Permalink
Implement (One|All) Of (Them|Pattern) condition operators
Browse files Browse the repository at this point in the history
  • Loading branch information
Bradley Kemp committed Oct 2, 2020
1 parent 8fd532f commit 81247ec
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 10 deletions.
14 changes: 4 additions & 10 deletions ast.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,13 @@ type AllOfIdentifier struct {
func (AllOfIdentifier) searchExpr() {}

type AllOfPattern struct {
Pattern SearchIdenfifierPattern
Pattern string
}

func (AllOfPattern) searchExpr() {}

type OneOfPattern struct {
Pattern SearchIdenfifierPattern
Pattern string
}

func (OneOfPattern) searchExpr() {}
Expand All @@ -71,12 +71,6 @@ type SearchIdentifier struct {

func (SearchIdentifier) searchExpr() {}

type SearchIdenfifierPattern struct {
Pattern string
}

func (SearchIdenfifierPattern) searchExpr() {}

type AggregationExpr interface {
aggregationExpr()
}
Expand Down Expand Up @@ -199,12 +193,12 @@ func searchToAST(node interface{}) SearchExpr {

case o.AllOfPattern != nil:
return AllOfPattern{
Pattern: SearchIdenfifierPattern{Pattern: *o.AllOfPattern},
Pattern: *o.AllOfPattern,
}

case o.OneOfPattern != nil:
return OneOfPattern{
Pattern: SearchIdenfifierPattern{Pattern: *o.OneOfPattern},
Pattern: *o.OneOfPattern,
}
default:
panic("invalid term type: all fields nil")
Expand Down
47 changes: 47 additions & 0 deletions evaluator/evaluate_search.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package evaluator
import (
"encoding/base64"
"fmt"
"path"
"strings"

"github.com/bradleyjkemp/sigma-go"
Expand All @@ -25,6 +26,52 @@ func (rule RuleEvaluator) evaluateSearchExpression(search sigma.SearchExpr, even
panic("invalid search identifier")
}
return rule.evaluateSearch(search, event)

case sigma.OneOfThem:
for name := range rule.Detection.Searches {
if rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
return true
}
}
return false

case sigma.OneOfPattern:
for name := range rule.Detection.Searches {
matchesPattern, err := path.Match(s.Pattern, name)
if err != nil {
panic(err)
}
if !matchesPattern {
continue
}
if rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
return true
}
}
return false

case sigma.AllOfThem:
for name := range rule.Detection.Searches {
if !rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
return false
}
}
return true

case sigma.AllOfPattern:
for name := range rule.Detection.Searches {
matchesPattern, err := path.Match(s.Pattern, name)
if err != nil {
panic(err)
}
if !matchesPattern {
continue
}
if !rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
return false
}
}
return true
}

panic(false)
Expand Down

0 comments on commit 81247ec

Please sign in to comment.