diff --git a/tests/test_backend_elasticsearch_lucene.py b/tests/test_backend_elasticsearch_lucene.py index 0dcb6df..a6f90a3 100644 --- a/tests/test_backend_elasticsearch_lucene.py +++ b/tests/test_backend_elasticsearch_lucene.py @@ -416,6 +416,25 @@ def test_lucene_angle_brackets(lucene_backend: LuceneBackend): ] +def test_lucene_keyword_quotation(lucene_backend: LuceneBackend): + """Test for DSL output with < or > in the values""" + rule = SigmaCollection.from_yaml( + r""" + title: Test + status: test + logsource: + category: test_category + product: test_product + detection: + keywords: + - 'Failed to generate curve25519 keys' + condition: keywords + """ + ) + + assert lucene_backend.convert(rule) == [r"*Failed\ to\ generate\ curve25519\ keys*"] + + def test_lucene_windash(lucene_backend: LuceneBackend): """Test for DSL output using windash modifier""" assert ( @@ -461,10 +480,15 @@ def test_lucene_windash_contains(lucene_backend: LuceneBackend): == ["fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ *)"] ) + def test_lucene_reference_query(lucene_backend: LuceneBackend): - with pytest.raises(SigmaFeatureNotSupportedByBackendError, match="ES Lucene backend can't handle field references."): + with pytest.raises( + SigmaFeatureNotSupportedByBackendError, + match="ES Lucene backend can't handle field references.", + ): lucene_backend.convert( - SigmaCollection.from_yaml(""" + SigmaCollection.from_yaml( + """ title: Test status: test logsource: @@ -474,9 +498,11 @@ def test_lucene_reference_query(lucene_backend: LuceneBackend): sel: fieldA|fieldref: somefield condition: sel - """) + """ + ) ) + def test_elasticsearch_ndjson_lucene(lucene_backend: LuceneBackend): """Test for NDJSON output with embedded query string query.""" rule = SigmaCollection.from_yaml( diff --git a/tests/test_backend_elasticsearch_lucene_connect.py b/tests/test_backend_elasticsearch_lucene_connect.py index eab0df2..c0d6e1e 100644 --- a/tests/test_backend_elasticsearch_lucene_connect.py +++ b/tests/test_backend_elasticsearch_lucene_connect.py @@ -301,6 +301,14 @@ def fixture_prepare_es_data(): verify=False, auth=pytest.es_creds, ) + requests.post( + f"{pytest.es_url}/test-index/_doc/", + json={"quotationMessage": "Failed to generate curve25519 keys"}, + timeout=120, + verify=False, + auth=pytest.es_creds, + ) + # Wait a bit for Documents to be indexed time.sleep(1) @@ -753,8 +761,29 @@ def test_connect_lucene_advanced_quotetest( result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0] result = self.query_backend_hits(result_dsl, num_wanted=2) - # Ensure we see only the searched Sysmon.exe Images. + # Ensure we see only the searched bitsadmin.exe Images. assert all( "bitsadmin.exe" in entry["_source"]["Image"] for entry in result["hits"]["hits"] ) + + def test_connect_lucene_keyword_quotation( + self, prepare_es_data, lucene_backend: LuceneBackend + ): + """Test for DSL output with < or > in the values""" + rule = SigmaCollection.from_yaml( + r""" + title: Test + status: test + logsource: + category: test_category + product: test_product + detection: + keywords: + - 'Failed to generate curve25519 keys' + condition: keywords + """ + ) + + result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0] + self.query_backend_hits(result_dsl, num_wanted=1)