From 81315638b2fed9765568fcbf0a054a63564feac6 Mon Sep 17 00:00:00 2001 From: Nick Moore Date: Thu, 14 Nov 2024 10:09:28 +0000 Subject: [PATCH] Flip wildcard for `startswith` and `endswith` When checking `startswith`, the wildcard should be at the end, and v.v. for `endswith`. --- sigma/modifiers.py | 4 ++-- tests/test_modifiers.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sigma/modifiers.py b/sigma/modifiers.py index d6b33637..3109318b 100644 --- a/sigma/modifiers.py +++ b/sigma/modifiers.py @@ -151,7 +151,7 @@ def modify( val.regexp = val.regexp + ".*" val.compile() elif isinstance(val, SigmaFieldReference): - val.wildcard_start = SpecialChars.WILDCARD_MULTI + val.wildcard_end = SpecialChars.WILDCARD_MULTI return val @@ -169,7 +169,7 @@ def modify( val.regexp = ".*" + val.regexp val.compile() elif isinstance(val, SigmaFieldReference): - val.wildcard_end = SpecialChars.WILDCARD_MULTI + val.wildcard_start = SpecialChars.WILDCARD_MULTI return val diff --git a/tests/test_modifiers.py b/tests/test_modifiers.py index 5a82e915..06742f19 100644 --- a/tests/test_modifiers.py +++ b/tests/test_modifiers.py @@ -430,14 +430,14 @@ def test_fieldref_startswith(dummy_detection_item): SigmaStartswithModifier(dummy_detection_item, [SigmaFieldReferenceModifier]).modify( fieldref ) - ) == SigmaFieldReference("field", SpecialChars.WILDCARD_MULTI, None) + ) == SigmaFieldReference("field", None, SpecialChars.WILDCARD_MULTI) def test_fieldref_endswith(dummy_detection_item): fieldref = SigmaFieldReferenceModifier(dummy_detection_item, []).modify(SigmaString("field")) assert ( SigmaEndswithModifier(dummy_detection_item, [SigmaFieldReferenceModifier]).modify(fieldref) - ) == SigmaFieldReference("field", None, SpecialChars.WILDCARD_MULTI) + ) == SigmaFieldReference("field", SpecialChars.WILDCARD_MULTI, None) def test_fieldref_wildcard(dummy_detection_item):