Additional CIDR expression template variables

SigmaHQ · Jul 25, 2022 · e02311b · e02311b
1 parent 90f065d
commit e02311b
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pySigma"
-version = "0.7.0"
+version = "0.7.1"
 license = "LGPL-2.1-only"
 description = "Sigma rule processing and conversion tools"
 authors = ["Thomas Patzke <[email protected]>"]

diff --git a/sigma/conversion/base.py b/sigma/conversion/base.py
@@ -405,7 +405,7 @@ class variables. If this is not sufficient, the respective methods can be implem
 
     # CIDR expressions: define CIDR matching if backend has native support. Else pySigma expands
     # CIDR values into string wildcard matches.
-    cidr_expression : ClassVar[Optional[str]] = None    # CIDR expression query as format string with placeholders {field} = {value}
+    cidr_expression : ClassVar[Optional[str]] = None    # CIDR expression query as format string with placeholders {field}, {value} (the whole CIDR value), {network} (network part only), {prefixlen} (length of network mask prefix) and {netmask} (CIDR network mask only)
 
     # Numeric comparison operators
     compare_op_expression : ClassVar[Optional[str]] = None      # Compare operation query as format string with placeholders {field}, {operator} and {value}
@@ -685,7 +685,7 @@ def convert_condition_field_eq_val_cidr(self, cond : ConditionFieldEqualsValueEx
         """Conversion of field matches CIDR value expressions."""
         cidr : SigmaCIDRExpression = cond.value
         if self.cidr_expression is not None:        # native CIDR support from backend with expression templates.
-            return self.cidr_expression.format(field=cond.field, value=str(cidr.network))
+            return self.cidr_expression.format(field=cond.field, value=str(cidr.network), network=cidr.network.network_address, prefixlen=cidr.network.prefixlen, netmask=cidr.network.netmask)
         else:                                       # No native CIDR support: expand into string wildcard matches on prefixes.
             expanded = cidr.expand(self.wildcard_multi)
             expanded_cond = ConditionOR([

diff --git a/tests/test_conversion_base.py b/tests/test_conversion_base.py
@@ -452,6 +452,37 @@ def test_convert_value_cidr_wildcard_native(test_backend):
         """)
     ) == ['cidrmatch(\'mappedA\', "192.168.0.0/14") and cidrmatch(\'field A\', "192.168.0.0/14")']
 
+def test_convert_value_cidr_wildcard_native_template_network_prefixlen(test_backend, monkeypatch):
+    monkeypatch.setattr(test_backend, "cidr_expression", "cidrmatch('{field}', '{network}', {prefixlen})")
+    assert test_backend.convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                category: test_category
+                product: test_product
+            detection:
+                sel:
+                    fieldA|cidr: 192.168.0.0/14
+                condition: sel
+        """)
+    ) == ["cidrmatch('mappedA', '192.168.0.0', 14)"]
+
+def test_convert_value_cidr_wildcard_native_template_network_netmask(test_backend, monkeypatch):
+    monkeypatch.setattr(test_backend, "cidr_expression", "cidrmatch('{field}', '{network}', '{netmask}')")
+    assert test_backend.convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                category: test_category
+                product: test_product
+            detection:
+                sel:
+                    fieldA|cidr: 192.168.0.0/14
+                condition: sel
+        """)
+    ) == ["cidrmatch('mappedA', '192.168.0.0', '255.252.0.0')"]
 
 def test_convert_value_cidr_wildcard_expression(test_backend, monkeypatch):
     monkeypatch.setattr(test_backend, "cidr_expression", None)