search

theY4Kman / parsuricata

Parse Suricata rules
https://pypi.org/project/parsuricata/
MIT License
13 stars 3 forks source link

Possibility of negative pattern in option #1

Closed Gladskih closed 3 years ago

Gladskih commented 4 years ago

How did you construct regex for setting values in _parser.py

    !string: /"([^;\\"]|(?!\\)\\[;\\"])*"/
    LITERAL: /(?!\s+)([^;\\"]|(?!\\)\\[;\\"])+(?!\s+)/

? I'm trying to figure out how to fix it allowing negative patterns like in content:!"unwanted" and not to break something else. The most confusing part is (?!\\)\\. Is not it self contradicting?

theY4Kman commented 4 years ago

Hmmm, it's been quite a while since I've visited that pattern. It might very well be a poorly-formed regex :P

In any case, since negation of a value would be semantically significant, I'd try to handle it at the parser level, as opposed to tokenization (which would instead only capture a string containing !"my value").

I threw together a branch doing so — check out PR #2. The main change to the grammar is:

settings: string
        | "!" string   -> negated_settings
        | LITERAL

Then, in the transformer, I convert those negated_settings nodes to a special str subclass; these negated settings strings have a property is_negated, which is true. For compatibility, regular, non-negated settings strings now also have this property (where it's false).

Lemme know if that fits your needs.

Gladskih commented 4 years ago

Nice fix. Thanks. But then I fall into next issue.

theY4Kman commented 3 years ago

I fixed this with #2, and version 0.2.1. By next issue, did you mean another ticket? Or something related to this one?

Gladskih commented 3 years ago

Another