From cc992ea64bdf891bc1cf936bba1af9fed25ff472 Mon Sep 17 00:00:00 2001
From: banditopazzo <banditopazzo@gmail.com>
Date: Thu, 18 Apr 2024 17:20:20 +0200
Subject: [PATCH] fix(dsl): quoted strings

---
 crates/modules/rules-engine/src/dsl.lalrpop |  2 +-
 rules/basic-rules.yaml                      | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/crates/modules/rules-engine/src/dsl.lalrpop b/crates/modules/rules-engine/src/dsl.lalrpop
index 4cbf74d8..8b83b2e2 100644
--- a/crates/modules/rules-engine/src/dsl.lalrpop
+++ b/crates/modules/rules-engine/src/dsl.lalrpop
@@ -70,7 +70,7 @@ Comma<T>: Vec<T> = {
 }
 
 Value: String = {
-    r#""\S+""# => <>.trim_matches('"').to_string(),
+    r#""([^"\\]|\\.)*""# => <>.trim_matches('"').to_string(),
     r"[0-9]+" => <>.to_string()
 }
 
diff --git a/rules/basic-rules.yaml b/rules/basic-rules.yaml
index 31f9ad72..4ac4da41 100644
--- a/rules/basic-rules.yaml
+++ b/rules/basic-rules.yaml
@@ -74,14 +74,14 @@
     this technique to search for, analyze, or manipulate private keys or passwords on the system.
   condition: (
     payload.filename ENDS_WITH "/find" AND (payload.argv CONTAINS "id_rsa" OR payload.argv CONTAINS "id_dsa")
-  ) OR (
-    payload.filename ENDS_WITH "grep" AND (
-      payload.argv CONTAINS "BEGIN PRIVATE"
-        OR payload.argv CONTAINS "BEGIN RSA PRIVATE" 
-        OR payload.argv CONTAINS "BEGIN DSA PRIVATE"
-        OR payload.argv CONTAINS "BEGIN EC PRIVATE"
+    ) OR (
+      payload.filename ENDS_WITH "grep" AND (
+        payload.argv CONTAINS "BEGIN PRIVATE"
+          OR payload.argv CONTAINS "BEGIN RSA PRIVATE"
+          OR payload.argv CONTAINS "BEGIN DSA PRIVATE"
+          OR payload.argv CONTAINS "BEGIN EC PRIVATE"
+      )
     )
-  )
 
 
 # Add allowed files