Remove modifications from base file and override in stix.py

2024-11-07 09:48:58 +00:00 · 2020-07-23 10:13:30 -04:00 · 2020-07-23 10:13:30 -04:00 · 0fac21f4a3
commit 0fac21f4a3
parent 30ff22776a
2 changed files with 63 additions and 16 deletions
--- a/tools/sigma/backends/base.py
+++ b/tools/sigma/backends/base.py
@ -154,12 +154,10 @@ class BaseBackend:
            pass
        return query

-    def generateNode(self, node, currently_within_NOT_node=False):
+    def generateNode(self, node):
        if type(node) == sigma.parser.condition.ConditionAND:
            return self.applyOverrides(self.generateANDNode(node))
        elif type(node) == sigma.parser.condition.ConditionOR:
-            if currently_within_NOT_node:
-                return self.applyOverrides(self.generateANDNode(node))
            return self.applyOverrides(self.generateORNode(node))
        elif type(node) == sigma.parser.condition.ConditionNOT:
            return self.applyOverrides(self.generateNOTNode(node))
@ -248,8 +246,8 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):

    sort_condition_lists = False        # Sort condition items for AND and OR conditions

-    def generateANDNode(self, node, currently_within_NOT_node=False):
-        generated = [ self.generateNode(val, currently_within_NOT_node) for val in node ]
+    def generateANDNode(self, node):
+        generated = [ self.generateNode(val) for val in node ]
        filtered = [ g for g in generated if g is not None ]
        if filtered:
            if self.sort_condition_lists:
@ -258,8 +256,8 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
        else:
            return None

-    def generateORNode(self, node, currently_within_NOT_node):
-        generated = [ self.generateNode(val, currently_within_NOT_node) for val in node ]
+    def generateORNode(self, node):
+        generated = [ self.generateNode(val) for val in node ]
        filtered = [ g for g in generated if g is not None ]
        if filtered:
            if self.sort_condition_lists:
@ -268,34 +266,33 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
        else:
            return None

-    def generateNOTNode(self, node, currently_within_NOT_node):
-        currently_within_NOT_node = True
-        generated = self.generateNode(node.item, currently_within_NOT_node)
+    def generateNOTNode(self, node):
+        generated = self.generateNode(node.item)
        if generated is not None:
            return generated
        else:
            return None

-    def generateSubexpressionNode(self, node, currently_within_NOT_node):
-        generated = self.generateNode(node.items, currently_within_NOT_node)
+    def generateSubexpressionNode(self, node):
+        generated = self.generateNode(node.items)
        if generated:
            return self.subExpression % generated
        else:
            return None

-    def generateListNode(self, node, currently_within_NOT_node):
+    def generateListNode(self, node):
        if not set([type(value) for value in node]).issubset({str, int}):
            raise TypeError("List values must be strings or numbers")
        return self.listExpression % (self.listSeparator.join([self.generateNode(value) for value in node]))

-    def generateMapItemNode(self, node, currently_within_NOT_node):
+    def generateMapItemNode(self, node):
        fieldname, value = node

        transformed_fieldname = self.fieldNameMapping(fieldname, value)
        if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
            return self.mapExpression % (transformed_fieldname, self.generateNode(value))
        elif type(value) == list:
-            return self.generateMapItemListNode(transformed_fieldname, value, currently_within_NOT_node)
+            return self.generateMapItemListNode(transformed_fieldname, value)
        elif isinstance(value, SigmaTypeModifier):
            return self.generateMapItemTypedNode(transformed_fieldname, value)
        elif value is None:
@ -303,7 +300,7 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
        else:
            raise TypeError("Backend does not support map values of type " + str(type(value)))

-    def generateMapItemListNode(self, fieldname, value, currently_within_NOT_node):
+    def generateMapItemListNode(self, fieldname, value):
        return self.mapListValueExpression % (fieldname, self.generateNode(value))

    def generateMapItemTypedNode(self, fieldname, value):
--- a/tools/sigma/backends/stix.py
+++ b/tools/sigma/backends/stix.py
@ -26,6 +26,56 @@ class STIXBackend(SingleTextQueryBackend):
    def cleanValue(self, value):
        return value

+    def generateANDNode(self, node, currently_within_NOT_node=False):
+        generated = [self.generateNode(val, currently_within_NOT_node) for val in node]
+        filtered = [g for g in generated if g is not None]
+        if filtered:
+            if self.sort_condition_lists:
+                filtered = sorted(filtered)
+            return self.andToken.join(filtered)
+        else:
+            return None
+
+    def generateORNode(self, node, currently_within_NOT_node):
+        generated = [self.generateNode(val, currently_within_NOT_node) for val in node]
+        filtered = [g for g in generated if g is not None]
+        if filtered:
+            if self.sort_condition_lists:
+                filtered = sorted(filtered)
+            return self.orToken.join(filtered)
+        else:
+            return None
+
+    def generateNOTNode(self, node, currently_within_NOT_node):
+        currently_within_NOT_node = True
+        generated = self.generateNode(node.item, currently_within_NOT_node)
+        if generated is not None:
+            return generated
+        else:
+            return None
+
+    def generateSubexpressionNode(self, node, currently_within_NOT_node):
+        generated = self.generateNode(node.items, currently_within_NOT_node)
+        if generated:
+            return self.subExpression % generated
+        else:
+            return None
+
+    def generateMapItemNode(self, node, currently_within_NOT_node):
+        fieldname, value = node
+
+        transformed_fieldname = self.fieldNameMapping(fieldname, value)
+        if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
+            return self.mapExpression % (transformed_fieldname, self.generateNode(value))
+        elif type(value) == list:
+            return self.generateMapItemListNode(transformed_fieldname, value, currently_within_NOT_node)
+        elif isinstance(value, SigmaTypeModifier):
+            return self.generateMapItemTypedNode(transformed_fieldname, value)
+        elif value is None:
+            return self.nullExpression % (transformed_fieldname, )
+        else:
+            raise TypeError("Backend does not support map values of type " + str(type(value)))
+
    def generateMapItemListNode(self, key, value, currently_within_NOT_node):
        items_list = list()
        for item in value: