theflakes
commented
3 years ago Problem was not the lexer but that I wasn't clearing the "all_logic" array in the outer logic builder loop used to ensure duplicate logic isn't used in a rule. Found in "handle_logic_paths" def.
See results of parsing Sigma rule: Malicious PE Execution by Microsoft Visual Studio Debugger
detection: selection: ParentImage|endswith: '\vsjitdebugger.exe' reduction1: ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' reduction2: ChildImage|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2)