Integrate Sigma Rules parser for importing rules based on Sigma schema-part2 #8
Conversation
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
sbcd90
force-pushed
the
sigma_part2
branch
3 times, most recently
from
fe266c5 to
4adf093
Compare
| | NOT expression # notExpression | ||
| | left=expression operator=AND right=expression # andExpression | ||
| | left=expression operator=OR right=expression # orExpression | ||
| ; |
There was a problem hiding this comment.
nit: do we need to add a new line at the end of file? Applicable across
src/test/resources/fieldmappings.yml
Outdated
| @@ -0,0 +1,5 @@ | |||
| fieldmappings: | |||
There was a problem hiding this comment.
Since we will have multiple types of resources here, lets follow a directory path structure. Such as for one kind of mapping - resources/OSMapping/fieldmappings.yml
There was a problem hiding this comment.
fixed it. kept the path hardcoded in code. will generalize it as i add the logic for selecting mapping type.
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
|
|
||
| @SuppressWarnings({"all", "warnings", "unchecked", "unused", "cast"}) | ||
| public class ConditionLexer extends Lexer { | ||
| static { RuntimeMetaData.checkVersion("4.10.1", RuntimeMetaData.VERSION); } |
There was a problem hiding this comment.
Should we have a constants file that stores this 4.10.1 version there so its easy to update?
There was a problem hiding this comment.
this is in a generated class using antlr. hence, did not change it.
| /* @Override | ||
| public Object convertConditionFieldEqValNull(ConditionFieldEqualsValueExpression condition) { | ||
| return null; | ||
| } | ||
|
|
||
| @Override | ||
| public Object convertConditionFieldEqValQueryExpr(ConditionFieldEqualsValueExpression condition) { | ||
| return null; | ||
| }*/ |
There was a problem hiding this comment.
Remove commented code. If we want to comment it temporarily, add a TODO here
There was a problem hiding this comment.
fixed it. added a TODO.
| /* @Override | ||
| public Object convertConditionValQueryExpr(ConditionValueExpression condition) { | ||
| return null; | ||
| }*/ |
There was a problem hiding this comment.
fixed it. added a TODO.
| }/* else if (condition.getValue() instanceof SigmaQueryExpression) { | ||
| return this.convertConditionFieldEqValQueryExpr(condition); | ||
| }*/ else if (condition.getValue() instanceof SigmaExpansion) { |
There was a problem hiding this comment.
Add TODO or remove commented code
There was a problem hiding this comment.
fixed it. added a TODO.
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
Codecov Report
@@ Coverage Diff @@
## main #8 +/- ##
=============================================
+ Coverage 65.05% 77.19% +12.13%
- Complexity 99 536 +437
=============================================
Files 26 72 +46
Lines 269 1609 +1340
Branches 60 338 +278
=============================================
+ Hits 175 1242 +1067
- Misses 73 225 +152
- Partials 21 142 +121
Continue to review full report at Codecov.
|
…a-part2 (opensearch-project#8) Signed-off-by: marko <okrammarko@gmail.com>
…a-part2 (opensearch-project#8) Signed-off-by: marko <okrammarko@gmail.com>
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
backport from origin 2.15
Description
integrate sigma rules parser
Issues Resolved
Rule curation layer(P0) & Rule ingestion layer(P0)
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.