of-conditions with pattern matching or "them" ignore detections that …

…start with _

Fixes #179

sigma/conditions.py

@@ -197,7 +197,7 @@ def resolve_referenced_detections(self, detections: "sigma.rule.SigmaDetections"
         return [
             ConditionIdentifier([identifier])
             for identifier in detections.detections.keys()
-            if r.match(identifier)
+            if r.match(identifier) and not identifier.startswith("_")
         ]
 
     def postprocess(

tests/test_conditions.py

@@ -160,6 +160,30 @@ def sigma_invalid_detections():
     )
 
 
+@pytest.fixture
+def sigma_underscore_detections():
+    return SigmaDetections(
+        {
+            "detection_1": SigmaDetection(
+                [
+                    SigmaDetectionItem(None, [], [SigmaString("val1")]),
+                ]
+            ),
+            "detection_2": SigmaDetection(
+                [
+                    SigmaDetectionItem(None, [], [SigmaString("val2")]),
+                ]
+            ),
+            "_detection_3": SigmaDetection(
+                [
+                    SigmaDetectionItem(None, [], [SigmaString("val3")]),
+                ]
+            ),
+        },
+        list(),
+    )
+
+
 def test_or(sigma_simple_detections):
     assert SigmaCondition(
         "detection1 or detection2", sigma_simple_detections
@@ -381,6 +405,15 @@ def test_selector_all_of_them(sigma_simple_detections):
     )
 
 
+def test_selector_underscore_filter(sigma_underscore_detections):
+    assert SigmaCondition("any of them", sigma_underscore_detections).parsed == ConditionOR(
+        [
+            ConditionValueExpression(SigmaString("val1")),
+            ConditionValueExpression(SigmaString("val2")),
+        ]
+    )
+
+
 def test_selector_invalid_quantifier(sigma_simple_detections):
     with pytest.raises(SigmaConditionError, match="Invalid quantifier"):
         ConditionSelector("invalid", "them")