search

JPvRiel / wef-reference

Scripts to compare Windows event queries and cross-reference the queries to metadata/manifest extracts.
Creative Commons Attribution 4.0 International
1 stars 0 forks source link

Select or Suppress elements with comments get truncated #3

Closed JPvRiel closed 3 years ago

JPvRiel commented 3 years ago

I've noticed that, if there is a comment within the Select or Suppress query text, all the text after the first comment gets ignored. This text contains the embedded xpath query and it breaks proper enumeration and guessing at which event IDs, etc will be guessed.

E.g. for:

<QueryList>

  <Query Id="0" Path="Security">

    <!-- E.g. extra custom query that gets more security events if MSSQLSERVER is installed -->
    <Select Path="Application">
      *[
        System[
          Provider[@Name='MSSQLSERVER'] and
          (
            EventID=18452 or
            EventID=18453 or
            <!-- embeded comment -->
            EventID=18454 or
            EventID=18456
          )
        ]
      ]
    </Select>

  </Query>

</QueryList>

Only event IDs 18452 and 18453 before the comment get included.

I've tracked this issue to the way the text property in lxml from python is limited to only everything in the current child node, and so it's the first piece of text, not all text, within an element.

The problem is with all calls to s.text here: https://github.com/JPvRiel/wef-reference/blob/aa8a4984eb6de25ad505653d64137a1a4a3c1e19/compare_wef.py#L254

JPvRiel commented 3 years ago

Closed by 82c48e0eca09e8bd7d5c4828a7914da33b1f7ffa