fix: resolve failed tests for tuned windash modifier

SigmaHQ · Aug 26, 2024 · 43fb3ba · 43fb3ba
1 parent c431055
commit 43fb3ba
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/tests/test_backend_elasticsearch_eql.py b/tests/test_backend_elasticsearch_eql.py
@@ -418,7 +418,9 @@ def test_elasticsearch_eql_windash(eql_backend: EqlBackend):
         """
             )
         )
-        == ['any where fieldname like~ ("-param-name", "/param-name")']
+        == [
+            'any where fieldname like~ ("-param-name", "/param-name", "–param-name", "—param-name", "―param-name")'
+        ]
     )
 
 
@@ -440,7 +442,7 @@ def test_elasticsearch_eql_windash_contains(eql_backend: EqlBackend):
         """
             )
         )
-        == ['any where fieldname like~ ("*-param-name*", "*/param-name*")']
+        == ['any where fieldname like~ ("*-param-name*", "*/param-name*", "*–param-name*", "*—param-name*", "*―param-name*")']
     )
 
 
@@ -464,10 +466,15 @@ def test_elasticsearch_eqlapi(eql_backend: EqlBackend):
     result = eql_backend.convert(rule, output_format="eqlapi")
     assert result[0] == {"query": 'any where fieldA:"valueA" and fieldB:"valueB"'}
 
+
 def test_lucene_reference_query(eql_backend: EqlBackend):
-    with pytest.raises(SigmaFeatureNotSupportedByBackendError, match="ES Lucene backend can't handle field references."):
+    with pytest.raises(
+        SigmaFeatureNotSupportedByBackendError,
+        match="ES Lucene backend can't handle field references.",
+    ):
         eql_backend.convert(
-            SigmaCollection.from_yaml("""
+            SigmaCollection.from_yaml(
+                """
                 title: Test
                 status: test
                 logsource:
@@ -477,7 +484,8 @@ def test_lucene_reference_query(eql_backend: EqlBackend):
                     sel:
                         fieldA|fieldref: somefield
                     condition: sel
-            """)
+            """
+            )
         )
 
 

diff --git a/tests/test_backend_elasticsearch_lucene.py b/tests/test_backend_elasticsearch_lucene.py
@@ -454,7 +454,9 @@ def test_lucene_windash(lucene_backend: LuceneBackend):
         """
             )
         )
-        == ["fieldname:(\\-param\\-name OR \\/param\\-name)"]
+        == [
+            "fieldname:(\\-param\\-name OR \\/param\\-name OR –param\\-name OR —param\\-name OR ―param\\-name)"
+        ]
     )
 
 
@@ -477,7 +479,9 @@ def test_lucene_windash_contains(lucene_backend: LuceneBackend):
         """
             )
         )
-        == ["fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ *)"]
+        == [
+            "fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ * OR *\\ –param\\-name\\ * OR *\\ —param\\-name\\ * OR *\\ ―param\\-name\\ *)"
+        ]
     )
-Original file line number
+Diff line change
@@ Expand Up / @@ -454,7 +454,9 @@ def test_lucene_windash(lucene_backend: LuceneBackend): @@
             """
                 )
             )
-            == ["fieldname:(\\-param\\-name OR \\/param\\-name)"]
+            == [
+                "fieldname:(\\-param\\-name OR \\/param\\-name OR –param\\-name OR —param\\-name OR ―param\\-name)"
+            ]
         )
@@ Expand All @@
             """
                 )
             )
-            == ["fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ *)"]
+            == [
+                "fieldname:(*\\ \\-param\\-name\\ * OR *\\ \\/param\\-name\\ * OR *\\ –param\\-name\\ * OR *\\ —param\\-name\\ * OR *\\ ―param\\-name\\ *)"
+            ]
         )
@@ Expand Down @@