Fix: Feature not supported on fieldref modifier

SigmaHQ · Jun 21, 2024 · 44336c9 · 44336c9
1 parent bce36ed
commit 44336c9
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 2 deletions.
diff --git a/sigma/backends/elasticsearch/elasticsearch_eql.py b/sigma/backends/elasticsearch/elasticsearch_eql.py
@@ -13,8 +13,9 @@
     ConditionNOT,
     ConditionFieldEqualsValueExpression,
 )
-from sigma.types import SigmaCompareExpression, SigmaNull, SpecialChars, SigmaNumber
+from sigma.types import SigmaCompareExpression, SigmaNull, SigmaFieldReference, SpecialChars, SigmaNumber
 from sigma.data.mitre_attack import mitre_attack_tactics, mitre_attack_techniques
+from sigma.exceptions import SigmaFeatureNotSupportedByBackendError
 import ipaddress
 import sigma
 
@@ -222,6 +223,13 @@ def convert_condition_field_eq_expansion(
         else:
             return self.convert_condition_or(cond, state)
 
+    def convert_condition_field_eq_field(
+        self, cond: SigmaFieldReference, state: ConversionState
+    ) -> Any:
+        raise SigmaFeatureNotSupportedByBackendError(
+            "ES Lucene backend can't handle field references."
+        )
+
     def convert_condition_field_eq_val_str(
         self, cond: ConditionFieldEqualsValueExpression, state: ConversionState
     ) -> Union[str, DeferredQueryExpression]:  # pragma: no cover

diff --git a/sigma/backends/elasticsearch/elasticsearch_lucene.py b/sigma/backends/elasticsearch/elasticsearch_lucene.py
@@ -13,8 +13,9 @@
     ConditionNOT,
     ConditionFieldEqualsValueExpression,
 )
-from sigma.types import SigmaCompareExpression, SigmaNull
+from sigma.types import SigmaCompareExpression, SigmaNull, SigmaFieldReference
 from sigma.data.mitre_attack import mitre_attack_tactics, mitre_attack_techniques
+from sigma.exceptions import SigmaFeatureNotSupportedByBackendError
 import sigma
 
 
@@ -188,6 +189,13 @@ def _is_field_null_condition(cond: ConditionItem) -> bool:
             cond.value, SigmaNull
         )
 
+    def convert_condition_field_eq_field(
+        self, cond: SigmaFieldReference, state: ConversionState
+    ) -> Any:
+        raise SigmaFeatureNotSupportedByBackendError(
+            "ES Lucene backend can't handle field references."
+        )
+
     def convert_condition_not(
         self, cond: ConditionNOT, state: ConversionState
     ) -> Union[str, DeferredQueryExpression]:

diff --git a/tests/test_backend_elasticsearch_eql.py b/tests/test_backend_elasticsearch_eql.py
@@ -1,6 +1,7 @@
 import pytest
 from sigma.backends.elasticsearch.elasticsearch_eql import EqlBackend
 from sigma.collection import SigmaCollection
+from sigma.exceptions import SigmaFeatureNotSupportedByBackendError
 
 
 @pytest.fixture(name="eql_backend")
@@ -463,6 +464,22 @@ def test_elasticsearch_eqlapi(eql_backend: EqlBackend):
     result = eql_backend.convert(rule, output_format="eqlapi")
     assert result[0] == {"query": 'any where fieldA:"valueA" and fieldB:"valueB"'}
 
+def test_lucene_reference_query(eql_backend: EqlBackend):
+    with pytest.raises(SigmaFeatureNotSupportedByBackendError, match="ES Lucene backend can't handle field references."):
+        eql_backend.convert(
+            SigmaCollection.from_yaml("""
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    sel:
+                        fieldA|fieldref: somefield
+                    condition: sel
+            """)
+        )
+
 
 def test_elasticsearch_siemrule_eql(eql_backend: EqlBackend):
     """Test for NDJSON output with embedded query string query."""

diff --git a/tests/test_backend_elasticsearch_lucene.py b/tests/test_backend_elasticsearch_lucene.py
@@ -1,6 +1,7 @@
 import pytest
 from sigma.backends.elasticsearch.elasticsearch_lucene import LuceneBackend
 from sigma.collection import SigmaCollection
+from sigma.exceptions import SigmaFeatureNotSupportedByBackendError
 
 
 @pytest.fixture(name="lucene_backend")
@@ -460,6 +461,21 @@ def test_lucene_windash_contains(lucene_backend: LuceneBackend):
         == ["fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ *)"]
     )
 
+def test_lucene_reference_query(lucene_backend: LuceneBackend):
+    with pytest.raises(SigmaFeatureNotSupportedByBackendError, match="ES Lucene backend can't handle field references."):
+        lucene_backend.convert(
+            SigmaCollection.from_yaml("""
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    sel:
+                        fieldA|fieldref: somefield
+                    condition: sel
+            """)
+        )
 
 def test_elasticsearch_ndjson_lucene(lucene_backend: LuceneBackend):
     """Test for NDJSON output with embedded query string query."""