Updating tests and filtering logic with better regex

SigmaHQ · Feb 16, 2025 · d9f4d8c · d9f4d8c
1 parent 714d073
commit d9f4d8c
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/sigma/filters.py b/sigma/filters.py
@@ -194,8 +194,8 @@ def apply_on_rule(
 
             # Replace each instance of the original condition name with the new condition name to avoid conflicts
             filter_condition = re.sub(
-                rf"(^|\s|\()+{original_cond_name}(\s|$|\))+",
-                cond_name,
+                rf"(\s|\(|^){original_cond_name}(\s|$|\))",
+                r"\1" + cond_name + r"\2",
                 filter_condition,
             )
             rule.detection.detections[cond_name] = condition

diff --git a/tests/test_filters.py b/tests/test_filters.py
@@ -341,3 +341,21 @@ def test_regression_github_issue_321_brackets(
     assert test_backend.convert(rule_collection) == [
         '(EventID=4625 or EventID2=4624) and not User startswith "adm_"'
     ]
+
+
+def test_regression_github_issue_321_selection_confusion(rule_collection, test_backend, sigma_filter):
+    sigma_filter.filter = SigmaGlobalFilter.from_dict(
+        {
+            "rules": [
+                "6f3e2987-db24-4c78-a860-b4f4095a7095",
+            ],
+            "filter": {"User|startswith": "adm_"},
+            "condition": "not selection",
+        }
+    )
+
+    rule_collection.rules += [sigma_filter]
+
+    assert test_backend.convert(rule_collection) == [
+        '(EventID=4625 or EventID2=4624) and not User startswith "adm_"'
+    ]