Merge pull request SigmaHQ#2265 from SigmaHQ/fix-ids

Additional characters in identifier token
stbe · Nov 15, 2021 · cdaefbf · cdaefbf
2 parents aa47b88 + 068255f
commit cdaefbf
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py
@@ -121,7 +121,7 @@ class SigmaConditionTokenizer:
             (SigmaConditionToken.TOKEN_AND,    re.compile("and", re.IGNORECASE)),
             (SigmaConditionToken.TOKEN_OR,     re.compile("or", re.IGNORECASE)),
             (SigmaConditionToken.TOKEN_NOT,    re.compile("not", re.IGNORECASE)),
-            (SigmaConditionToken.TOKEN_ID,     re.compile("[\\w*]+")),
+            (SigmaConditionToken.TOKEN_ID,     re.compile("[\\w*-.]+")),
             (SigmaConditionToken.TOKEN_LPAR,   re.compile("\\(")),
             (SigmaConditionToken.TOKEN_RPAR,   re.compile("\\)")),
             ]
@@ -270,7 +270,7 @@ def __init__(self, value):
 def generateXOf(sigma, val, condclass):
     """
     Generic implementation of (1|all) of x expressions.
-        
+
     * condclass across all list items if x is name of definition
     * condclass across all definitions if x is keyword 'them'
     * condclass across all matching definition if x is wildcard expression, e.g. 'selection*'
@@ -520,7 +520,7 @@ def find_close_token_index_in_pairs(tokens, start_index, open_token, close_token
                     open_token was '(' and
                     tokens were ['(', '...', '(', '...', ')', ')']
                     the first '(' should pair with the last ')' instead of the first ')'
-                
+
                 Parameters:
                     tokens: the list of tokens
                     start_index: the start index (included) of the input tokens for finding the close_token