DictQuery cannot parse paths with backslashes #5
Comments
|
Probably something could be wrong with tokenizer. I'll get back to you when I find where problem is |
|
Greetings! I was looking into this behavior, and it seems that the issue is likely caused by the One approach to fixing this would be to add a matcher for file paths, which I provided an example/attempt for within #6. I can verify that once the regex was expanded, I was able to parse the example you provided successfully. Hope this helps isolate the cause, at least! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to use sigma's dictquery backend, here:
https://github.com/unqork-external/pySigma-backend-dictquery
Which generated a query that contains a portion that like this:
query1 = "(Image LIKE '\AppData\Local\Temp\')"
When I attempt to compile this:
dq.compile(query1)
I get the following error:
Traceback (most recent call last):
File "", line 1, in
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/init.py", line 22, in compile
ast = parser.parse(query)
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 198, in parse
return self.orstatement()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 223, in orstatement
leftval = self.andstatement()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 233, in andstatement
leftval = self.expression()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 243, in expression
return self.expr()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 247, in expr
obj = self.orstatement()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 223, in orstatement
leftval = self.andstatement()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 233, in andstatement
leftval = self.expression()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 243, in expression
return self.expr()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 258, in expr
if self._accept('LIKE'):
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 213, in _accept
self._advance()
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/parsers.py", line 201, in _advance
self.tok, self.nexttok = self.nexttok, next(self.tokens, None)
File "/home/tjt7a/.cache/pypoetry/virtualenvs/sigma-cli-NoEUEN38-py3.10/lib/python3.10/site-packages/dictquery/tokenizer.py", line 48, in gen_tokens
raise DQSyntaxError("Unexpected character at pos %d" % match.start())
dictquery.exceptions.DQSyntaxError: Unexpected character at pos 12
Do I have any other options than to translate all occurrences of '\' into '/'?
Thank you,
Tom Tracy II
The text was updated successfully, but these errors were encountered: