EQL: Remove parser handling for functions (#54028)
* EQL: Remove parser handling for functions * EQL: Comment out array functions in queries-unsupported.eql
This commit is contained in:
parent
5594d57727
commit
627ca03c72
|
@ -133,51 +133,6 @@ public class EqlParser {
|
|||
this.ruleNames = ruleNames;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public void exitFunctionExpression(EqlBaseParser.FunctionExpressionContext context) {
|
||||
Token token = context.name;
|
||||
String functionName = token.getText();
|
||||
|
||||
switch (functionName) {
|
||||
case "add":
|
||||
case "between":
|
||||
case "cidrMatch":
|
||||
case "concat":
|
||||
case "divide":
|
||||
case "endsWith":
|
||||
case "indexOf":
|
||||
case "length":
|
||||
case "match":
|
||||
case "modulo":
|
||||
case "multiply":
|
||||
case "number":
|
||||
case "startsWith":
|
||||
case "string":
|
||||
case "stringContains":
|
||||
case "substring":
|
||||
case "subtract":
|
||||
case "wildcard":
|
||||
break;
|
||||
|
||||
case "arrayContains":
|
||||
case "arrayCount":
|
||||
case "arraySearch":
|
||||
throw new ParsingException(
|
||||
"Unsupported function [" + functionName + "]",
|
||||
null,
|
||||
token.getLine(),
|
||||
token.getCharPositionInLine());
|
||||
|
||||
default:
|
||||
throw new ParsingException(
|
||||
"Unknown function [" + functionName + "]",
|
||||
null,
|
||||
token.getLine(),
|
||||
token.getCharPositionInLine());
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void exitJoin(EqlBaseParser.JoinContext context) {
|
||||
Token token = context.JOIN().getSymbol();
|
||||
|
|
|
@ -113,20 +113,20 @@ public class VerifierTests extends ESTestCase {
|
|||
|
||||
// Some functions fail with "Unsupported" message at the parse stage
|
||||
public void testArrayFunctionsUnsupported() {
|
||||
assertEquals("1:16: Unsupported function [arrayContains]",
|
||||
errorParsing("registry where arrayContains(bytes_written_string_list, 'En')"));
|
||||
assertEquals("1:16: Unsupported function [arraySearch]",
|
||||
errorParsing("registry where arraySearch(bytes_written_string_list, a, a == 'en-us')"));
|
||||
assertEquals("1:16: Unsupported function [arrayCount]",
|
||||
errorParsing("registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1"));
|
||||
assertEquals("1:16: Unknown function [arrayContains]",
|
||||
error("registry where arrayContains(bytes_written_string_list, 'En')"));
|
||||
assertEquals("1:16: Unknown function [arraySearch]",
|
||||
error("registry where arraySearch(bytes_written_string_list, bytes_written_string, true)"));
|
||||
assertEquals("1:16: Unknown function [arrayCount]",
|
||||
error("registry where arrayCount(bytes_written_string_list, bytes_written_string, true) == 1"));
|
||||
}
|
||||
|
||||
// Some functions fail with "Unknown" message at the parse stage
|
||||
public void testFunctionParsingUnknown() {
|
||||
assertEquals("1:15: Unknown function [matchLite]",
|
||||
errorParsing("process where matchLite(?'.*?net1\\s+localgroup\\s+.*?', command_line)"));
|
||||
error("process where matchLite(?'.*?net1\\s+localgroup\\s+.*?', command_line)"));
|
||||
assertEquals("1:15: Unknown function [safe]",
|
||||
errorParsing("network where safe(divide(process_name, process_name))"));
|
||||
error("network where safe(process_name)"));
|
||||
}
|
||||
|
||||
// Test the known EQL functions that are not supported
|
||||
|
|
|
@ -94,7 +94,7 @@ public class QueryFolderOkTests extends AbstractQueryFolderTestCase {
|
|||
PhysicalPlan p = plan(query);
|
||||
assertEquals(EsQueryExec.class, p.getClass());
|
||||
EsQueryExec eqe = (EsQueryExec) p;
|
||||
assertEquals(23, eqe.output().size());
|
||||
assertEquals(25, eqe.output().size());
|
||||
assertEquals(KEYWORD, eqe.output().get(0).dataType());
|
||||
|
||||
final String query = eqe.queryContainer().toString().replaceAll("\\s+", "");
|
||||
|
|
|
@ -1,5 +1,11 @@
|
|||
{
|
||||
"properties" : {
|
||||
"bytes_written_string" : {
|
||||
"type" : "keyword"
|
||||
},
|
||||
"bytes_written_string_list" : {
|
||||
"type" : "keyword"
|
||||
},
|
||||
"command_line" : {
|
||||
"type" : "keyword"
|
||||
},
|
||||
|
|
|
@ -626,58 +626,44 @@ any where process_name == "svchost.exe"
|
|||
;
|
||||
|
||||
|
||||
// array functions
|
||||
registry where arrayContains(bytes_written_string_list, 'En-uS');
|
||||
registry where arrayContains(bytes_written_string_list, 'En');
|
||||
// Array functions
|
||||
// * parser will recognize as valid, but functions will fail to resolve in verifier
|
||||
|
||||
|
||||
network where mysterious_field
|
||||
and arraySearch(mysterious_field.subarray, s, true)
|
||||
;
|
||||
// registry where arrayContains(bytes_written_string_list, 'En-uS');
|
||||
// registry where arrayContains(bytes_written_string_list, 'En');
|
||||
|
||||
registry where arraySearch(bytes_written_string_list, a, a == 'en-us');
|
||||
// network where mysterious_field
|
||||
// and arraySearch(mysterious_field.subarray, s, true);
|
||||
|
||||
registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'));
|
||||
// registry where arraySearch(bytes_written_string_list, a, a == 'en-us');
|
||||
// registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'));
|
||||
// network where mysterious_field and arraySearch(mysterious_field.subarray, s, false);
|
||||
// network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*');
|
||||
// network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*');
|
||||
|
||||
// network where mysterious_field
|
||||
// and arraySearch(mysterious_field.subarray, sub1,
|
||||
// arraySearch(sub1.c, nested, nested.x.y == '*'))
|
||||
// ;
|
||||
|
||||
network where mysterious_field and arraySearch(mysterious_field.subarray, s, false)
|
||||
;
|
||||
// network where mysterious_field
|
||||
// and arraySearch(mysterious_field.subarray, sub1,
|
||||
// sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z'))
|
||||
// ;
|
||||
|
||||
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*')
|
||||
;
|
||||
// network where mysterious_field
|
||||
// and arraySearch(mysterious_field.subarray, sub1,
|
||||
// sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match));
|
||||
|
||||
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*')
|
||||
;
|
||||
// network where mysterious_field
|
||||
// and arraySearch(mysterious_field.subarray, sub1,
|
||||
// arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match));
|
||||
|
||||
network where mysterious_field
|
||||
and arraySearch(mysterious_field.subarray, sub1,
|
||||
arraySearch(sub1.c, nested, nested.x.y == '*'))
|
||||
;
|
||||
// registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1;
|
||||
// registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2;
|
||||
// registry where arrayContains(bytes_written_string_list, "missing", "en-US");
|
||||
|
||||
network where mysterious_field
|
||||
and arraySearch(mysterious_field.subarray, sub1,
|
||||
sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z'))
|
||||
;
|
||||
|
||||
network where mysterious_field
|
||||
and arraySearch(mysterious_field.subarray, sub1,
|
||||
sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
|
||||
;
|
||||
|
||||
network where mysterious_field
|
||||
and arraySearch(mysterious_field.subarray, sub1,
|
||||
arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match))
|
||||
;
|
||||
|
||||
|
||||
registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1
|
||||
;
|
||||
|
||||
registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2
|
||||
;
|
||||
|
||||
registry where arrayContains(bytes_written_string_list, "missing", "en-US")
|
||||
;
|
||||
|
||||
// array fields
|
||||
|
||||
|
|
Loading…
Reference in New Issue