Merge pull request #267 from SigmaHQ:issue-249

Fix: too many backslashes dropped in regular expressions
SigmaHQ · Aug 31, 2024 · 7ff0a68 · 7ff0a68
2 parents beb34a5 + 15df4ad
commit 7ff0a68
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/sigma/rule.py b/sigma/rule.py
@@ -9,6 +9,7 @@
 from sigma.types import SigmaType, SigmaNull, SigmaString, SigmaNumber, sigma_type
 from sigma.modifiers import (
     SigmaModifier,
+    SigmaRegularExpressionModifier,
     modifier_mapping,
     reverse_modifier_mapping,
     SigmaValueModifier,
@@ -384,7 +385,14 @@ def from_mapping(
             val = [None]
 
         # Map Python types to Sigma typing classes
-        val = [sigma_type(v) for v in val]
+        val = [
+            (
+                SigmaString.from_str(v)
+                if SigmaRegularExpressionModifier in modifiers
+                else sigma_type(v)
+            )
+            for v in val
+        ]
 
         return cls(field, modifiers, val, source=source)
 

diff --git a/sigma/types.py b/sigma/types.py
@@ -148,6 +148,13 @@ def __init__(self, s: Optional[str] = None):
             r.append(acc)
         self.s = tuple(r)
 
+    @classmethod
+    def from_str(cls, s: str) -> "SigmaString":
+        sigma_string = SigmaString()
+        sigma_string.s = (s,)
+        sigma_string.original = s
+        return sigma_string
+
     def __getitem__(self, idx: Union[int, slice]) -> "SigmaString":
         """
         Index SigmaString parts with transparent handling of special characters.

diff --git a/tests/test_rule.py b/tests/test_rule.py
@@ -371,6 +371,13 @@ def test_sigmadetectionitem_key_value_single_regexp_to_plain():
     }
 
 
+def test_sigmadetectionitem_key_value_single_regexp_trailing_backslashes_to_plain():
+    """Key-value detection with one value."""
+    assert SigmaDetectionItem.from_mapping("key|re", "reg.*exp\\\\").to_plain() == {
+        "key|re": "reg.*exp\\\\"
+    }
+
+
 def test_sigmadetectionitem_key_value_list():
     """Key-value detection with value list."""
     assert SigmaDetectionItem.from_mapping("key", ["string", 123]) == SigmaDetectionItem(

diff --git a/tests/test_types.py b/tests/test_types.py
@@ -117,6 +117,10 @@ def test_strings_escaping_end():
     assert SigmaString("finalescape\\").s == ("finalescape\\",)
 
 
+def test_strings_from_str():
+    assert SigmaString.from_str("test*string\\\\") == SigmaString("test\*string\\\\\\\\")
+
+
 def test_string_placeholders_single():
     assert SigmaString("test1%var%test2").insert_placeholders().s == (
         "test1",
@@ -512,6 +516,10 @@ def test_re_to_plain():
     assert SigmaRegularExpression("test.*").to_plain() == "test.*"
 
 
+def test_re_to_plain_trailing_backslash():
+    assert SigmaRegularExpression("test\\\\").to_plain() == "test\\\\"
+
+
 def test_re_invalid():
     with pytest.raises(SigmaRegularExpressionError):
         SigmaRegularExpression("(test.*")