EQL: Remove parser handling for functions (#54028)
* EQL: Remove parser handling for functions * EQL: Comment out array functions in queries-unsupported.eql
This commit is contained in:
Ross Wolf
parent
5594d57727
commit
627ca03c72
|
|
@ -133,51 +133,6 @@ public class EqlParser {
|
||||||
this.ruleNames = ruleNames;
|
this.ruleNames = ruleNames;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void exitFunctionExpression(EqlBaseParser.FunctionExpressionContext context) {
|
|
||||||
Token token = context.name;
|
|
||||||
String functionName = token.getText();
|
|
||||||
|
|
||||||
switch (functionName) {
|
|
||||||
case "add":
|
|
||||||
case "between":
|
|
||||||
case "cidrMatch":
|
|
||||||
case "concat":
|
|
||||||
case "divide":
|
|
||||||
case "endsWith":
|
|
||||||
case "indexOf":
|
|
||||||
case "length":
|
|
||||||
case "match":
|
|
||||||
case "modulo":
|
|
||||||
case "multiply":
|
|
||||||
case "number":
|
|
||||||
case "startsWith":
|
|
||||||
case "string":
|
|
||||||
case "stringContains":
|
|
||||||
case "substring":
|
|
||||||
case "subtract":
|
|
||||||
case "wildcard":
|
|
||||||
break;
|
|
||||||
|
|
||||||
case "arrayContains":
|
|
||||||
case "arrayCount":
|
|
||||||
case "arraySearch":
|
|
||||||
throw new ParsingException(
|
|
||||||
"Unsupported function [" + functionName + "]",
|
|
||||||
null,
|
|
||||||
token.getLine(),
|
|
||||||
token.getCharPositionInLine());
|
|
||||||
|
|
||||||
default:
|
|
||||||
throw new ParsingException(
|
|
||||||
"Unknown function [" + functionName + "]",
|
|
||||||
null,
|
|
||||||
token.getLine(),
|
|
||||||
token.getCharPositionInLine());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void exitJoin(EqlBaseParser.JoinContext context) {
|
public void exitJoin(EqlBaseParser.JoinContext context) {
|
||||||
Token token = context.JOIN().getSymbol();
|
Token token = context.JOIN().getSymbol();
|
||||||
|
|
|
||||||
|
|
@ -113,20 +113,20 @@ public class VerifierTests extends ESTestCase {
|
||||||
|
|
||||||
// Some functions fail with "Unsupported" message at the parse stage
|
// Some functions fail with "Unsupported" message at the parse stage
|
||||||
public void testArrayFunctionsUnsupported() {
|
public void testArrayFunctionsUnsupported() {
|
||||||
assertEquals("1:16: Unsupported function [arrayContains]",
|
assertEquals("1:16: Unknown function [arrayContains]",
|
||||||
errorParsing("registry where arrayContains(bytes_written_string_list, 'En')"));
|
error("registry where arrayContains(bytes_written_string_list, 'En')"));
|
||||||
assertEquals("1:16: Unsupported function [arraySearch]",
|
assertEquals("1:16: Unknown function [arraySearch]",
|
||||||
errorParsing("registry where arraySearch(bytes_written_string_list, a, a == 'en-us')"));
|
error("registry where arraySearch(bytes_written_string_list, bytes_written_string, true)"));
|
||||||
assertEquals("1:16: Unsupported function [arrayCount]",
|
assertEquals("1:16: Unknown function [arrayCount]",
|
||||||
errorParsing("registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1"));
|
error("registry where arrayCount(bytes_written_string_list, bytes_written_string, true) == 1"));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Some functions fail with "Unknown" message at the parse stage
|
// Some functions fail with "Unknown" message at the parse stage
|
||||||
public void testFunctionParsingUnknown() {
|
public void testFunctionParsingUnknown() {
|
||||||
assertEquals("1:15: Unknown function [matchLite]",
|
assertEquals("1:15: Unknown function [matchLite]",
|
||||||
errorParsing("process where matchLite(?'.*?net1\\s+localgroup\\s+.*?', command_line)"));
|
error("process where matchLite(?'.*?net1\\s+localgroup\\s+.*?', command_line)"));
|
||||||
assertEquals("1:15: Unknown function [safe]",
|
assertEquals("1:15: Unknown function [safe]",
|
||||||
errorParsing("network where safe(divide(process_name, process_name))"));
|
error("network where safe(process_name)"));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Test the known EQL functions that are not supported
|
// Test the known EQL functions that are not supported
|
||||||
|
|
|
||||||
|
|
@ -94,7 +94,7 @@ public class QueryFolderOkTests extends AbstractQueryFolderTestCase {
|
||||||
PhysicalPlan p = plan(query);
|
PhysicalPlan p = plan(query);
|
||||||
assertEquals(EsQueryExec.class, p.getClass());
|
assertEquals(EsQueryExec.class, p.getClass());
|
||||||
EsQueryExec eqe = (EsQueryExec) p;
|
EsQueryExec eqe = (EsQueryExec) p;
|
||||||
assertEquals(23, eqe.output().size());
|
assertEquals(25, eqe.output().size());
|
||||||
assertEquals(KEYWORD, eqe.output().get(0).dataType());
|
assertEquals(KEYWORD, eqe.output().get(0).dataType());
|
||||||
|
|
||||||
final String query = eqe.queryContainer().toString().replaceAll("\\s+", "");
|
final String query = eqe.queryContainer().toString().replaceAll("\\s+", "");
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,11 @@
|
||||||
{
|
{
|
||||||
"properties" : {
|
"properties" : {
|
||||||
|
"bytes_written_string" : {
|
||||||
|
"type" : "keyword"
|
||||||
|
},
|
||||||
|
"bytes_written_string_list" : {
|
||||||
|
"type" : "keyword"
|
||||||
|
},
|
||||||
"command_line" : {
|
"command_line" : {
|
||||||
"type" : "keyword"
|
"type" : "keyword"
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -626,58 +626,44 @@ any where process_name == "svchost.exe"
|
||||||
;
|
;
|
||||||
|
|
||||||
|
|
||||||
// array functions
|
// Array functions
|
||||||
registry where arrayContains(bytes_written_string_list, 'En-uS');
|
// * parser will recognize as valid, but functions will fail to resolve in verifier
|
||||||
registry where arrayContains(bytes_written_string_list, 'En');
|
|
||||||
|
|
||||||
|
|
||||||
network where mysterious_field
|
// registry where arrayContains(bytes_written_string_list, 'En-uS');
|
||||||
and arraySearch(mysterious_field.subarray, s, true)
|
// registry where arrayContains(bytes_written_string_list, 'En');
|
||||||
;
|
|
||||||
|
|
||||||
registry where arraySearch(bytes_written_string_list, a, a == 'en-us');
|
// network where mysterious_field
|
||||||
|
// and arraySearch(mysterious_field.subarray, s, true);
|
||||||
|
|
||||||
registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'));
|
// registry where arraySearch(bytes_written_string_list, a, a == 'en-us');
|
||||||
|
// registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'));
|
||||||
|
// network where mysterious_field and arraySearch(mysterious_field.subarray, s, false);
|
||||||
|
// network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*');
|
||||||
|
// network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*');
|
||||||
|
|
||||||
|
// network where mysterious_field
|
||||||
|
// and arraySearch(mysterious_field.subarray, sub1,
|
||||||
|
// arraySearch(sub1.c, nested, nested.x.y == '*'))
|
||||||
|
// ;
|
||||||
|
|
||||||
network where mysterious_field and arraySearch(mysterious_field.subarray, s, false)
|
// network where mysterious_field
|
||||||
;
|
// and arraySearch(mysterious_field.subarray, sub1,
|
||||||
|
// sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z'))
|
||||||
|
// ;
|
||||||
|
|
||||||
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*')
|
// network where mysterious_field
|
||||||
;
|
// and arraySearch(mysterious_field.subarray, sub1,
|
||||||
|
// sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match));
|
||||||
|
|
||||||
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*')
|
// network where mysterious_field
|
||||||
;
|
// and arraySearch(mysterious_field.subarray, sub1,
|
||||||
|
// arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match));
|
||||||
|
|
||||||
network where mysterious_field
|
// registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1;
|
||||||
and arraySearch(mysterious_field.subarray, sub1,
|
// registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2;
|
||||||
arraySearch(sub1.c, nested, nested.x.y == '*'))
|
// registry where arrayContains(bytes_written_string_list, "missing", "en-US");
|
||||||
;
|
|
||||||
|
|
||||||
network where mysterious_field
|
|
||||||
and arraySearch(mysterious_field.subarray, sub1,
|
|
||||||
sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z'))
|
|
||||||
;
|
|
||||||
|
|
||||||
network where mysterious_field
|
|
||||||
and arraySearch(mysterious_field.subarray, sub1,
|
|
||||||
sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
|
|
||||||
;
|
|
||||||
|
|
||||||
network where mysterious_field
|
|
||||||
and arraySearch(mysterious_field.subarray, sub1,
|
|
||||||
arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match))
|
|
||||||
;
|
|
||||||
|
|
||||||
|
|
||||||
registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1
|
|
||||||
;
|
|
||||||
|
|
||||||
registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2
|
|
||||||
;
|
|
||||||
|
|
||||||
registry where arrayContains(bytes_written_string_list, "missing", "en-US")
|
|
||||||
;
|
|
||||||
|
|
||||||
// array fields
|
// array fields
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue