From 45644909f0d9c39bb4916d377ebeb413913d4f4e Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Tue, 19 Dec 2023 21:47:26 +0900
Subject: [PATCH] feat: add incompatible modifier check

---
 tools/sigmac/logsource_mapping.py      | 7 ++++++-
 tools/sigmac/test_logsource_mapping.py | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/tools/sigmac/logsource_mapping.py b/tools/sigmac/logsource_mapping.py
index 5791ec39f..de5378d08 100644
--- a/tools/sigmac/logsource_mapping.py
+++ b/tools/sigmac/logsource_mapping.py
@@ -160,7 +160,7 @@ def is_detectable(self, obj: dict) -> bool:
         """
         process_creation/registry_xxルールののSysmon/Securityイベント用変換後フィールドの妥当性チェック
         """
-        if self.category != "process_creation" and self.category != "registry_set" and self.category != "registry_add" and self.category != "registry_event" and self.category == "registry_delete" :
+        if self.category != "process_creation" and self.category != "registry_set" and self.category != "registry_add" and self.category != "registry_event" and self.category != "registry_delete" :
             return True
         for key in obj.keys():
             if key in ["condition", "process_creation", "timeframe", "registry_set", "registry_add", "registry_event", "registry_delete"]:
@@ -264,6 +264,11 @@ def convert(self):
         logsourceのcategory/serviceをlogsource_mapに基づき変換し、変換後の内容でdetectionブロックを更新する
         """
         obj = create_obj(base_dir=None, file_name=self.sigma_path)
+        keys = get_terminal_keys_recursive(obj["detection"], [])
+        modifiers = {re.sub(r".*\|", "", k) for k in keys if "|" in k}
+        if modifiers and [m for m in modifiers if m not in ["all", "base64", "base64offset", "cidr", "contains", "endswith", "endswithfield", "equalsfield", "re", "startswith"]]:
+            LOGGER.error(f"This rule has incompatible field.{obj['detection']}. skip conversion.")
+            return
         logsources = self.get_logsources(obj)
         if not logsources:
             new_obj = copy.deepcopy(obj)
diff --git a/tools/sigmac/test_logsource_mapping.py b/tools/sigmac/test_logsource_mapping.py
index e7b7164d7..90e9286a6 100644
--- a/tools/sigmac/test_logsource_mapping.py
+++ b/tools/sigmac/test_logsource_mapping.py
@@ -120,4 +120,4 @@ def test_logsource_validate_security_12(self):
         self.assertTrue(ls.is_detectable({"selection": {"Image": "a.exe" }}))
         self.assertTrue(ls.is_detectable({"selection": {"Details": "foo" }}))
         self.assertTrue(ls.is_detectable({"selection": {"EventType": "CreateKey" }}))
-        self.assertTrue(ls.is_detectable({"selection": {'TargetObject|endswith': 'software'}, 'condition': 'selection'}))
+        self.assertTrue(ls.is_detectable({"selection": {'TargetObject|endswith': 'software'}, 'condition': 'selection'}))
\ No newline at end of file