Add filter condition= and condition!=

2024-11-07 01:45:21 +00:00 · 2021-06-10 08:26:19 +02:00 · 2021-06-10 08:26:19 +02:00 · af1aee9541
commit af1aee9541
parent ced94bb728
1 changed files with 44 additions and 12 deletions
--- a/tools/sigma/filter.py
+++ b/tools/sigma/filter.py
@ -35,6 +35,8 @@ class SigmaRuleFilter:
        self.tags          = list()
        self.nottags       = list()
        self.inlastday     = None
+        self.condition     = list()
+        self.notcondition  = list()

        for cond in [c.replace(" ", "") for c in expr.split(",")]:
            if cond.startswith("level<="):
@ -68,6 +70,10 @@ class SigmaRuleFilter:
                self.tags.append(cond[cond.index("=") + 1:].lower())
            elif cond.startswith("tag!="):
                self.nottags.append(cond[cond.index("=") + 1:].lower())
+            elif cond.startswith("condition="):
+                self.condition.append(cond[cond.index("=") + 1:].lower())
+            elif cond.startswith("condition!="):
+                self.notcondition.append(cond[cond.index("=") + 1:].lower())
            elif cond.startswith("inlastday="):
                nbday = cond[cond.index("=") + 1:]
                try:
@ -110,7 +116,7 @@ class SigmaRuleFilter:
                logsources = { value for key, value in yamldoc['logsource'].items() }
            except (KeyError, AttributeError):    # no log source set
                return False    # User wants status restriction, but it's not possible here
-
+            print(self.logsources)
            for logsrc in self.logsources:
                if logsrc not in logsources:
                    return False
@ -167,6 +173,32 @@ class SigmaRuleFilter:
           if delta.days > self.inlastday:
                return False

+        if self.condition:
+            try:
+                conditions = yamldoc['detection']['condition']
+                if isinstance(conditions,list):                         # sone time conditions are list even with only 1 line
+                    s_condition = ' '.join(conditions)
+                else:
+                    s_condition = conditions
+            except KeyError:    # missing condition
+                return False    # User wants condition restriction, but it's not possible here
+            for val in self.condition:
+                if not val in s_condition:
+                    return False
+
+        if self.notcondition:
+            try:
+                conditions = yamldoc['detection']['condition']
+                if isinstance(conditions,list):                         # sone time conditions are list even with only 1 line
+                    s_condition = ' '.join(conditions)
+                else:
+                    s_condition = conditions
+            except KeyError:    # missing condition
+                return False    # User wants condition restriction, but it's not possible here
+            for val in self.notcondition:
+                if val in s_condition:
+                    return False
+
        # all tests passed
        return True