Recent commits break escaping of paths for some rules

[mcjon3z]

Since yesterday, the resultant XML file will no longer load properly and crashes Wazuh manager. It appears that this is due to a handful of rules that are no longer properly escaping backslashes in file paths, resulting in improper pcre2 regex. As an example, rule bdd8157d-8e85-4397-bb82-f06cc9c71dbb contains the following:

        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^C:\Program Files\Internet Explorer\IEInstal.exe$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)consent\.exe</field>

[theflakes]

thanks, another reversion from messing with the OR logic parsing, should be ok now but no promises

[mcjon3z]

Yep, that got it working on my end. Thanks!

[theflakes]

cool and thanks for letting me know