Fix: Added tests for #29

tests/test_backend_elasticsearch_lucene.py

@@ -416,6 +416,25 @@ def test_lucene_angle_brackets(lucene_backend: LuceneBackend):
     ]
 
 
+def test_lucene_keyword_quotation(lucene_backend: LuceneBackend):
+    """Test for DSL output with < or > in the values"""
+    rule = SigmaCollection.from_yaml(
+        r"""
+            title: Test
+            status: test
+            logsource:
+                category: test_category
+                product: test_product
+            detection:
+                keywords:
+                    - 'Failed to generate curve25519 keys'
+                condition: keywords
+        """
+    )
+
+    assert lucene_backend.convert(rule) == [r"*Failed\ to\ generate\ curve25519\ keys*"]
+
+
 def test_lucene_windash(lucene_backend: LuceneBackend):
     """Test for DSL output using windash modifier"""
     assert (
@@ -461,10 +480,15 @@ def test_lucene_windash_contains(lucene_backend: LuceneBackend):
         == ["fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ *)"]
     )
 
+
 def test_lucene_reference_query(lucene_backend: LuceneBackend):
-    with pytest.raises(SigmaFeatureNotSupportedByBackendError, match="ES Lucene backend can't handle field references."):
+    with pytest.raises(
+        SigmaFeatureNotSupportedByBackendError,
+        match="ES Lucene backend can't handle field references.",
+    ):
         lucene_backend.convert(
-            SigmaCollection.from_yaml("""
+            SigmaCollection.from_yaml(
+                """
                 title: Test
                 status: test
                 logsource:
@@ -474,9 +498,11 @@ def test_lucene_reference_query(lucene_backend: LuceneBackend):
                     sel:
                         fieldA|fieldref: somefield
                     condition: sel
-            """)
+            """
+            )
         )
 
+
 def test_elasticsearch_ndjson_lucene(lucene_backend: LuceneBackend):
     """Test for NDJSON output with embedded query string query."""
     rule = SigmaCollection.from_yaml(

tests/test_backend_elasticsearch_lucene_connect.py

@@ -301,6 +301,14 @@ def fixture_prepare_es_data():
             verify=False,
             auth=pytest.es_creds,
         )
+        requests.post(
+            f"{pytest.es_url}/test-index/_doc/",
+            json={"quotationMessage": "Failed to generate curve25519 keys"},
+            timeout=120,
+            verify=False,
+            auth=pytest.es_creds,
+        )
+
         # Wait a bit for Documents to be indexed
         time.sleep(1)
 
@@ -753,8 +761,29 @@ def test_connect_lucene_advanced_quotetest(
         result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0]
         result = self.query_backend_hits(result_dsl, num_wanted=2)
 
-        # Ensure we see only the searched Sysmon.exe Images.
+        # Ensure we see only the searched bitsadmin.exe Images.
         assert all(
             "bitsadmin.exe" in entry["_source"]["Image"]
             for entry in result["hits"]["hits"]
         )
+
+    def test_connect_lucene_keyword_quotation(
+        self, prepare_es_data, lucene_backend: LuceneBackend
+    ):
+        """Test for DSL output with < or > in the values"""
+        rule = SigmaCollection.from_yaml(
+            r"""
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    keywords:
+                        - 'Failed to generate curve25519 keys'
+                    condition: keywords
+            """
+        )
+
+        result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0]
+        self.query_backend_hits(result_dsl, num_wanted=1)