From 81247ec1a68760874f2658dbf8621f1afd227a91 Mon Sep 17 00:00:00 2001
From: Bradley Kemp <bradleyjkemp@gmx.co.uk>
Date: Fri, 2 Oct 2020 18:48:43 +0100
Subject: [PATCH] Implement (One|All) Of (Them|Pattern) condition operators

---
 ast.go                       | 14 +++--------
 evaluator/evaluate_search.go | 47 ++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/ast.go b/ast.go
index 01aa882..adae243 100644
--- a/ast.go
+++ b/ast.go
@@ -46,13 +46,13 @@ type AllOfIdentifier struct {
 func (AllOfIdentifier) searchExpr() {}
 
 type AllOfPattern struct {
-	Pattern SearchIdenfifierPattern
+	Pattern string
 }
 
 func (AllOfPattern) searchExpr() {}
 
 type OneOfPattern struct {
-	Pattern SearchIdenfifierPattern
+	Pattern string
 }
 
 func (OneOfPattern) searchExpr() {}
@@ -71,12 +71,6 @@ type SearchIdentifier struct {
 
 func (SearchIdentifier) searchExpr() {}
 
-type SearchIdenfifierPattern struct {
-	Pattern string
-}
-
-func (SearchIdenfifierPattern) searchExpr() {}
-
 type AggregationExpr interface {
 	aggregationExpr()
 }
@@ -199,12 +193,12 @@ func searchToAST(node interface{}) SearchExpr {
 
 			case o.AllOfPattern != nil:
 				return AllOfPattern{
-					Pattern: SearchIdenfifierPattern{Pattern: *o.AllOfPattern},
+					Pattern: *o.AllOfPattern,
 				}
 
 			case o.OneOfPattern != nil:
 				return OneOfPattern{
-					Pattern: SearchIdenfifierPattern{Pattern: *o.OneOfPattern},
+					Pattern: *o.OneOfPattern,
 				}
 			default:
 				panic("invalid term type: all fields nil")
diff --git a/evaluator/evaluate_search.go b/evaluator/evaluate_search.go
index 8ddc7b8..7411a8a 100644
--- a/evaluator/evaluate_search.go
+++ b/evaluator/evaluate_search.go
@@ -3,6 +3,7 @@ package evaluator
 import (
 	"encoding/base64"
 	"fmt"
+	"path"
 	"strings"
 
 	"github.com/bradleyjkemp/sigma-go"
@@ -25,6 +26,52 @@ func (rule RuleEvaluator) evaluateSearchExpression(search sigma.SearchExpr, even
 			panic("invalid search identifier")
 		}
 		return rule.evaluateSearch(search, event)
+
+	case sigma.OneOfThem:
+		for name := range rule.Detection.Searches {
+			if rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
+				return true
+			}
+		}
+		return false
+
+	case sigma.OneOfPattern:
+		for name := range rule.Detection.Searches {
+			matchesPattern, err := path.Match(s.Pattern, name)
+			if err != nil {
+				panic(err)
+			}
+			if !matchesPattern {
+				continue
+			}
+			if rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
+				return true
+			}
+		}
+		return false
+
+	case sigma.AllOfThem:
+		for name := range rule.Detection.Searches {
+			if !rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
+				return false
+			}
+		}
+		return true
+
+	case sigma.AllOfPattern:
+		for name := range rule.Detection.Searches {
+			matchesPattern, err := path.Match(s.Pattern, name)
+			if err != nil {
+				panic(err)
+			}
+			if !matchesPattern {
+				continue
+			}
+			if !rule.evaluateSearchExpression(sigma.SearchIdentifier{Name: name}, event) {
+				return false
+			}
+		}
+		return true
 	}
 
 	panic(false)