Closed theflakes closed 2 years ago
Improved lexing, but really need to go through a lot of Sigma rules to verify correct parsing. "|" in negations may still be a problem
Problem parsing: https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file_event/sysmon_webshell_creation_detect.yml https://github.com/SigmaHQ/sigma/blob/master/rules/linux/macos_security_software_discovery.yml https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_lsass_access_non_system_account.yml
Prob need to start at the beginning for the lexical analysis again. Try using a binary tree and will also need to examine not just the condition statement but also the detection section.
See: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml