fix(parser): reject |not modifier with guidance toward condition negation#103
Merged
Conversation
…gation A common mistranslation from pySigma's documentation lands as `field|not: value` or `field|contains|not: value` in the YAML, which the parser would previously surface as the generic "Unknown modifier 'not'" error. Sigma reserves `not` exclusively for condition expressions; there is no value modifier of that name in pySigma either. Add a dedicated `SigmaParserError::NotIsNotAModifier` variant whose message points users at the two correct alternatives: - `condition: not selection` for whole-detection negation. - `selection and not filter` with the inverted predicate moved into a separate detection used as a filter. The parser now short-circuits on `mod_str == "not"` inside `parse_field_spec` before falling through to the unknown-modifier path, so the diagnostic mentions the workaround instead of just naming the unsupported token. Tests: - `test_not_modifier_is_rejected_with_guidance` covers both `field|not` and `field|contains|not`, asserts the dedicated error variant, and pins the error message wording so the guidance text doesn't drift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A common mistranslation from pySigma's docs lands as
field|not: valueorfield|contains|not: valuein YAML, and the parser would previously surface it as the genericUnknown modifier 'not'error. Sigma reservesnotexclusively for condition expressions; there is no value modifier of that name in pySigma either.This PR adds a dedicated
SigmaParserError::NotIsNotAModifiervariant whose message points users at the two correct alternatives:condition: not selectionfor whole-detection negation.selection and not filterwith the inverted predicate moved into a separate detection used as a filter.The parser short-circuits on
mod_str == "not"insideparse_field_specbefore falling through to the unknown-modifier path.Tests
test_not_modifier_is_rejected_with_guidancecovers bothfield|notandfield|contains|not, asserts the dedicated error variant, and pins the error message wording so the guidance text doesn't drift.All workspace tests pass; clippy + fmt clean.
Test plan
cargo fmt --all -- --checkcargo clippy --workspace --all-targets --all-features -- -D warningscargo test --workspace