-
-
Notifications
You must be signed in to change notification settings - Fork 109
/
Copy pathtest_processing_pipeline_condition_expressions.py
126 lines (108 loc) · 4.42 KB
/
test_processing_pipeline_condition_expressions.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
import pytest
from sigma.exceptions import SigmaPipelineConditionError
from sigma.processing.condition_expressions import (
ConditionOR,
ConditionAND,
ConditionIdentifier,
ConditionNOT,
parse_condition_expression,
)
from tests.test_processing_pipeline import (
RuleConditionFalse,
RuleConditionTrue,
DetectionItemConditionFalse,
DetectionItemConditionTrue,
FieldNameConditionFalse,
FieldNameConditionTrue,
)
from tests.test_rule import sigma_rule, detection_item
def test_pipeline_condition_expression_identifier(sigma_rule):
conditions = {
"cond1": RuleConditionTrue(dummy="test-true"),
}
condition_expression = "cond1"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result == ConditionIdentifier(0, "cond1")
assert result.match(sigma_rule)
def test_pipeline_condition_expression_identifier_not_found():
conditions = {
"cond1": RuleConditionTrue(dummy="test-true"),
}
condition_expression = "cond2"
with pytest.raises(SigmaPipelineConditionError, match="cond2.*not found"):
parse_condition_expression(condition_expression, conditions).resolve(conditions)
def test_pipeline_condition_expression_and(sigma_rule):
conditions = {
"cond1": RuleConditionTrue(dummy="test-true"),
"cond2": RuleConditionFalse(dummy="test-false"),
}
condition_expression = "cond1 and cond2"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result == ConditionAND(
0, ConditionIdentifier(0, "cond1"), ConditionIdentifier(10, "cond2")
)
assert not result.match(sigma_rule)
def test_pipeline_condition_expression_or(sigma_rule):
conditions = {
"cond1": RuleConditionTrue(dummy="test-true"),
"cond2": RuleConditionFalse(dummy="test-false"),
}
condition_expression = "cond1 or cond2"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result == ConditionOR(
0, ConditionIdentifier(0, "cond1"), ConditionIdentifier(9, "cond2")
)
assert result.match(sigma_rule)
def test_pipeline_condition_expression_not(sigma_rule):
conditions = {
"cond1": RuleConditionFalse(dummy="test-false"),
}
condition_expression = "not cond1"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result == ConditionNOT(0, ConditionIdentifier(4, "cond1"))
assert result.match(sigma_rule)
def test_pipeline_condition_expression_precedence(sigma_rule):
conditions = {
"cond1": RuleConditionTrue(dummy="test-true"),
"cond2": RuleConditionFalse(dummy="test-false"),
"cond3": RuleConditionTrue(dummy="test-false"),
}
condition_expression = "cond1 and not cond2 or cond3"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result == ConditionOR(
0,
ConditionAND(
0, ConditionIdentifier(0, "cond1"), ConditionNOT(10, ConditionIdentifier(14, "cond2"))
),
ConditionIdentifier(23, "cond3"),
)
assert result.match(sigma_rule)
def test_pipeline_condition_expression_match_detection_item(detection_item):
conditions = {
"cond1": DetectionItemConditionTrue(dummy="test-true"),
"cond2": DetectionItemConditionFalse(dummy="test-false"),
"cond3": DetectionItemConditionTrue(dummy="test-false"),
}
condition_expression = "cond1 and not cond2 or cond3"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result.match(detection_item)
def test_pipeline_condition_expression_match_field_name(detection_item):
conditions = {
"cond1": FieldNameConditionTrue(dummy="test-true"),
"cond2": FieldNameConditionFalse(dummy="test-false"),
"cond3": FieldNameConditionTrue(dummy="test-false"),
}
condition_expression = "cond1 and not cond2 or cond3"
result = parse_condition_expression(condition_expression, conditions)
result.resolve(conditions)
assert result.match_detection_item(detection_item)
assert result.match_field_name("test")
def test_pipeline_condition_expression_invalid():
with pytest.raises(SigmaPipelineConditionError, match="Error parsing"):
parse_condition_expression("cond1 and", {})