Skip to content

Commit

Permalink
fix keywords bug and add comments (opensearch-project#964)
Browse files Browse the repository at this point in the history
Signed-off-by: Joanne Wang <[email protected]>
  • Loading branch information
jowg-amazon authored Apr 3, 2024
1 parent 901eb26 commit 0507239
Showing 1 changed file with 16 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -381,10 +381,16 @@ public Object convertConditionFieldEqValQueryExpr(ConditionFieldEqualsValueExpre
return null;
}*/

/**
* Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
* is a SigmaString type
* Ex:
* condition: selection_1
* selection1:
* - keyword1
*/
@Override
public Object convertConditionValStr(ConditionValueExpression condition, boolean applyDeMorgans) throws SigmaValueError {
String field = getFinalValueField();
ruleQueryFields.put(field, Map.of("type", "text", "analyzer", "rule_analyzer"));
SigmaString value = (SigmaString) condition.getValue();
boolean containsWildcard = value.containsWildcard();
String exprWithDeMorgansApplied = this.notToken + " " + "%s";
Expand All @@ -397,6 +403,10 @@ public Object convertConditionValStr(ConditionValueExpression condition, boolean
return conditionValStr;
}

/**
* Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
* is a SigmaNumber type
*/
@Override
public Object convertConditionValNum(ConditionValueExpression condition, boolean applyDeMorgans) {
String exprWithDeMorgansApplied = this.notToken + " " + "%s";
Expand All @@ -407,6 +417,10 @@ public Object convertConditionValNum(ConditionValueExpression condition, boolean
return conditionValNum;
}

/**
* Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
* is a SigmaRegularExpression type
*/
@Override
public Object convertConditionValRe(ConditionValueExpression condition, boolean applyDeMorgans) {
String exprWithDeMorgansApplied = this.notToken + " " + "%s";
Expand Down Expand Up @@ -516,12 +530,6 @@ private String getFinalField(String field) {
return this.getMappedField(field);
}

private String getFinalValueField() {
String field = "_" + valExpCount;
valExpCount++;
return field;
}

public static class AggregationQueries implements Writeable, ToXContentObject {
private static final String AGG_QUERY = "aggQuery";
private static final String BUCKET_TRIGGER_QUERY = "bucketTriggerQuery";
Expand Down

0 comments on commit 0507239

Please sign in to comment.