Implementing NOT operation as !=

[barvhaim]

Hello, I am migrating the STIX backend to pySigma, in order to translate rules includes not x, we don't have NOT (x) in the language but we have to modify the eq expression to != instead of =,

sel:
    fieldA: valueA
    fieldB: valueB

so in case of sel, I expect to fieldA = 'valueA' AND fieldB = 'valueB'
and in case of not sel, I expect to fieldA != 'valueA' OR fieldB != 'valueB'

(and the other way around with OR cases)

How do you recommend to do such translation?

we do control the nodes in the Sigmac version (https://github.com/SigmaHQ/sigma/blob/8fa8a7355141b525f5764ad5ff86caf6afc641c7/tools/sigma/backends/stix.py#L143), but wonder what would be the best way to implement that in the new pySigma

[thomaspatzke]

All node conversion methods of a backend have a parameter state (e.g. convert_condition_field_eq_val_str. This is a ConversionState object that contains a processing_state property.

The first step of the solution of your problem would be to add a negation toggle to this property that is set to False at the beginning of the conversion. The best place for this would be the convert_condition method of a backend by overriding it and first adding this property and then calling super().convert_condition(...).

Then you override the convert_condition_not method in a similar way, but now use it to toggle the state.

Finally, you have to override the methods for converting OR, AND and field=value nodes that they use the other operators. This could be done by checking the negation toggle from the state and call the other method (e.g. in convert_condition_and you call convert_condition_or. A boolean parameter with a default value must be added to these methods that causes that they ignore the negation state in these calls, because elsewhere you will run into an endless loop because both methods will call each other.

Replacement of the = operator with != could be accomplished by simply setting eq_token of the backend class to the appropriate value. Not the most elegant way, but it should work 😉

[kelnage]

Hi @barvhaim! We had exactly the same issue when creating the Loki backend for pySigma. We initially took the approach suggested here by @thomaspatzke - which worked, but we found a number of edge cases that caused issues for us. We ended up writing a function that is called before the conversion process runs, which updates the Sigma parse tree rather than trying to handle the negated state on the fly during the conversion. Overall, I found this approach reduced the complexity of our conversion code and made it easier to test - a win on both fronts!

[thomaspatzke]

So we have at least two cases where this was required, so I think it makes sense to add this as option to the backend base class. It makes sense to have a robust implementation of it in the core.

I convert this to an issue and flag it as enhancement request.

[josh-panther]

@kelnage Thank you for your solution, I am writing a backend that also lacks a NOT. Your update_parsed_conditions was invaluable for solving the problem!