Add exists modifier support (#16)

jopohl · web-flow · commit 8406d51c9c84 · 2025-01-16T13:01:30.000+01:00
fix #15
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ A Rust library for parsing and evaluating Sigma rules to create custom detection
 ## Features
 
 - Supports the [Sigma condition](https://sigmahq.io/docs/basics/conditions.html) syntax using Pratt parsing
-- Supports all [Sigma field modifiers](https://sigmahq.io/docs/basics/modifiers.html) except `expand` and `exists`
+- Supports all [Sigma field modifiers](https://sigmahq.io/docs/basics/modifiers.html) except `expand`
 - Written in 100% safe Rust
 - Daily automated security audit of dependencies
 - Extensive test suite
diff --git a/src/error.rs b/src/error.rs
@@ -26,6 +26,12 @@ pub enum ParserError {
     )]
     StandaloneViolation(String),
 
+    #[error("The 'exists' modifier must not be combined with any other modifiers")]
+    ExistsNotStandalone(),
+
+    #[error("The 'exists' modifier requires a single boolean value")]
+    InvalidValueForExists(),
+
     #[error("Failed to parse IP address '{0}': '{1}'")]
     IPParsing(String, String),
 
diff --git a/src/field.rs b/src/field.rs
@@ -89,6 +89,17 @@ impl Field {
             return Err(ParserError::EmptyValues(self.name.to_string()));
         }
 
+        if self.modifier.exists.is_some() {
+            if self.values.len() != 1 {
+                return Err(ParserError::InvalidValueForExists());
+            }
+            if let FieldValue::Boolean(b) = self.values[0] {
+                self.modifier.exists = Some(b);
+            } else {
+                return Err(ParserError::InvalidValueForExists());
+            }
+        }
+
         match self.modifier.match_modifier {
             Some(MatchModifier::Contains)
             | Some(MatchModifier::StartsWith)
@@ -175,44 +186,52 @@ impl Field {
     }
 
     pub(crate) fn evaluate(&self, event: &Event) -> bool {
-        if let Some(EventValue::Value(target)) = event.get(&self.name) {
-            if self.values.is_empty() {
-                // self.values should never be empty.
-                // But, if it somehow happens we must return true, because
-                //      1. the key exists in the event, and
-                //      2. the field has no further conditions defined
-                return true;
-            }
+        let Some(event_value) = event.get(&self.name) else {
+            return matches!(self.modifier.exists, Some(false));
+        };
+
+        if matches!(self.modifier.exists, Some(true)) {
+            return true;
+        };
 
-            let target = conditional_lowercase!(target, self.modifier.cased);
+        let EventValue::Value(target) = event_value else {
+            // We currently do not support matching against lists and hashmaps, see
+            // https://github.com/jopohl/sigma-rust/issues/9
+            return false;
+        };
 
-            for val in self.values.iter() {
-                let cmp = if self.modifier.fieldref {
-                    if let Some(EventValue::Value(value)) =
-                        event.get(val.value_to_string().as_str())
-                    {
-                        conditional_lowercase!(value, self.modifier.cased)
-                    } else {
-                        continue;
-                    }
+        if self.values.is_empty() {
+            // self.values should never be empty.
+            // But, if it somehow happens we must return true, because
+            //      1. the key exists in the event, and
+            //      2. the field has no further conditions defined
+            return true;
+        }
+
+        let target = conditional_lowercase!(target, self.modifier.cased);
+
+        for val in self.values.iter() {
+            let cmp = if self.modifier.fieldref {
+                if let Some(EventValue::Value(value)) = event.get(val.value_to_string().as_str()) {
+                    conditional_lowercase!(value, self.modifier.cased)
                 } else {
-                    conditional_lowercase!(val, self.modifier.cased)
-                };
-
-                let fired = self.compare(target, cmp);
-                if fired && !self.modifier.match_all {
-                    return true;
-                } else if !fired && self.modifier.match_all {
-                    return false;
+                    continue;
                 }
+            } else {
+                conditional_lowercase!(val, self.modifier.cased)
+            };
+
+            let fired = self.compare(target, cmp);
+            if fired && !self.modifier.match_all {
+                return true;
+            } else if !fired && self.modifier.match_all {
+                return false;
             }
-            // After the loop, there are two options:
-            // 1. match_all = false: no condition fired  => return false
-            // 2. match_all = true: all conditions fired => return true
-            self.modifier.match_all
-        } else {
-            false
         }
+        // After the loop, there are two options:
+        // 1. match_all = false: no condition fired  => return false
+        // 2. match_all = true: all conditions fired => return true
+        self.modifier.match_all
     }
 }
 
@@ -551,10 +570,42 @@ mod tests {
         assert!(field.evaluate(&event));
     }
 
+    #[test]
+    fn test_empty_values() {
+        let values: Vec<FieldValue> = vec![];
+        let err = Field::new("test|contains", values).unwrap_err();
+        assert!(matches!(err, ParserError::EmptyValues(a) if a == "test"));
+    }
+
     #[test]
     fn test_invalid_contains() {
         let values: Vec<FieldValue> = vec![FieldValue::from("ok"), FieldValue::Int(5)];
         let err = Field::new("test|contains", values).unwrap_err();
         assert!(matches!(err, ParserError::InvalidValueForStringModifier(_)));
     }
+
+    #[test]
+    fn test_parse_exists_modifier() {
+        let values: Vec<FieldValue> = vec![FieldValue::from(true)];
+        let field = Field::new("test|exists", values).unwrap();
+        assert!(field.modifier.exists.unwrap());
+
+        let values: Vec<FieldValue> = vec![FieldValue::from(false)];
+        let field = Field::new("test|exists", values).unwrap();
+        assert!(!field.modifier.exists.unwrap());
+    }
+
+    #[test]
+    fn test_parse_exists_modifier_invalid_values() {
+        let values_vec: Vec<Vec<FieldValue>> = vec![
+            vec![FieldValue::from("not a boolean")],
+            vec![FieldValue::from("something"), FieldValue::Float(5.0)],
+            vec![FieldValue::from(true), FieldValue::from(true)],
+        ];
+
+        for values in values_vec {
+            let err = Field::new("test|exists", values).unwrap_err();
+            assert!(matches!(err, ParserError::InvalidValueForExists()));
+        }
+    }
 }
diff --git a/src/field/modifier.rs b/src/field/modifier.rs
@@ -31,11 +31,12 @@ pub enum ValueTransformer {
     Windash,
 }
 
-#[derive(Debug, Default)]
+#[derive(Debug, Default, PartialEq)]
 pub struct Modifier {
     pub(crate) match_all: bool,
     pub(crate) fieldref: bool,
     pub(crate) cased: bool,
+    pub(crate) exists: Option<bool>,
     pub(crate) match_modifier: Option<MatchModifier>,
     pub(crate) value_transformer: Option<ValueTransformer>,
 }
@@ -73,6 +74,12 @@ impl FromStr for Modifier {
                 result.cased = true;
                 continue;
             }
+            if s == "exists" {
+                // The real value of the exists modifier will be set during field parsing
+                // because it is the field value and here we only parse the field name.
+                result.exists = Some(bool::default());
+                continue;
+            }
 
             if let Ok(match_modifier) = MatchModifier::from_str(&s) {
                 if let Some(m) = result.match_modifier {
@@ -139,6 +146,17 @@ impl FromStr for Modifier {
             ));
         }
 
+        if result.exists.is_some() {
+            let tmp = Self {
+                exists: Some(bool::default()),
+                ..Default::default()
+            };
+
+            if result != tmp {
+                return Err(Self::Err::ExistsNotStandalone());
+            };
+        }
+
         Ok(result)
     }
 }
@@ -206,4 +224,16 @@ mod test {
             ParserError::ConflictingModifiers(ref a, ref b) if a == "cidr" && b == "re",
         ));
     }
+
+    #[test]
+    fn test_exists_modifier() {
+        let modifier = Modifier::from_str("fieldname|exists").unwrap();
+        assert!(modifier.exists.is_some());
+    }
+
+    #[test]
+    fn test_conflicting_exists_modifier() {
+        let err = Modifier::from_str("fieldname|all|exists").unwrap_err();
+        assert!(matches!(err, ParserError::ExistsNotStandalone()));
+    }
 }
diff --git a/tests/json_events.rs b/tests/json_events.rs
@@ -163,4 +163,46 @@ fn test_match_fieldref() {
 
     let rule = rule_from_yaml(matching_rule).unwrap();
     assert!(check_rule(&rule, &event));
+
+    let not_matching_rule = r#"
+    title: Fieldref test
+    logsource:
+    detection:
+        selection:
+            Image|fieldref: field_not_in_event
+        condition: selection"#;
+
+    let rule = rule_from_yaml(not_matching_rule).unwrap();
+    assert!(!check_rule(&rule, &event));
+}
+
+#[cfg(feature = "serde_json")]
+#[test]
+fn test_nested_exists() {
+    let event: Event = json!({
+        "Image": "testing",
+        "User": {
+            "Name": {
+                "First": ["Chuck"],
+                "Last": "Norris",
+            },
+            "Mobile.phone": "1",
+            "Age": 42,
+            "SomeName": "Chuck",
+        },
+        "reference": "test",
+    })
+    .try_into()
+    .unwrap();
+
+    let matching_rule = r#"
+        title: Nested exists test
+        logsource:
+        detection:
+            selection:
+                User.Name.First|exists: true
+            condition: selection"#;
+
+    let rule = rule_from_yaml(matching_rule).unwrap();
+    assert!(check_rule(&rule, &event));
 }
diff --git a/tests/matching.rs b/tests/matching.rs
@@ -161,3 +161,28 @@ fn test_match_cased_windash() {
     assert!(!rule.is_match(&event_2));
     assert!(rule.is_match(&event_3));
 }
+
+#[test]
+fn test_match_exists_modifier() {
+    let yaml = r#"
+        title: Existential test
+        logsource:
+        detection:
+            selection:
+                Image|exists: true
+                OriginalFileName|exists: false
+            condition: selection
+    "#;
+
+    let rule = rule_from_yaml(yaml).unwrap();
+    let event_1 = Event::from([("Image", "C:\\rundll32.exe")]);
+    let event_2 = Event::from([
+        ("Image", "C:\\rundll32.exe"),
+        ("OriginalFileName", "RUNDLL32.EXE"),
+    ]);
+    let event_3 = Event::from([("SomeField", "SomeValue")]);
+
+    assert!(rule.is_match(&event_1));
+    assert!(!rule.is_match(&event_2));
+    assert!(!rule.is_match(&event_3));
+}
