Merge pull request #16 from SigmaHQ/issue-15

Escape curly brackets
SigmaHQ · Sep 24, 2024 · c77bdc5 · c77bdc5
2 parents 2b63ce2 + 5536914
commit c77bdc5
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/sigma/backends/crowdstrike/logscale.py b/sigma/backends/crowdstrike/logscale.py
@@ -124,7 +124,7 @@ class LogScaleBackend(TextQueryBackend):
     escape_char_re: ClassVar[str] = "\\"
     wildcard_multi_re: ClassVar[str] = ".*"
     wildcard_single_re: ClassVar[str] = "."
-    add_escaped_re: ClassVar[str] = "*$^.|?()[]+/"
+    add_escaped_re: ClassVar[str] = "*$^.|?()[]+/{}"
     filter_chars_re: ClassVar[str] = ""
     bool_values_re: ClassVar[Dict[bool, str]] = {
         True: "true",

diff --git a/tests/test_backend_logscale.py b/tests/test_backend_logscale.py
@@ -43,12 +43,12 @@ def test_crowdstrikelogscale_special_chars(logscale_backend: LogScaleBackend):
                 product: test_product
             detection:
                 sel:
-                    fieldA: valueA*$^.|?()[]+/
+                    fieldA: valueA*$^.|?()[]+/{}
                 condition: sel
         """
             )
         )
-        == ["fieldA=/^valueA.*\\$\\^\\.\\|.\\(\\)\\[\\]\\+\\/$/i"]
+        == ["fieldA=/^valueA.*\\$\\^\\.\\|.\\(\\)\\[\\]\\+\\/\\{\\}$/i"]
     )