case-insensitive bug for items in brackets for elastic_ecs

Question

case-insensitive bug for items in brackets for elastic_ecs

subbyte opened this issue a year ago · 0 comments

Describe the bug

% stix-shifter translate elastic_ecs query "{}" "[file:x_path MATCHES '(?i)TEMP[a-z]*']"                          



 2023-10-18 13:45:47,325 stix_shifter_modules.elastic_ecs.stix_translation.query_translator INFO     Converting STIX2 Pattern to data source query
{
    "queries": [
        "(file.path : /[tT][eE][mM][pP][-AZaz]*/ OR dll.path : /[tT][eE][mM][pP][-AZaz]*/) AND (@timestamp:[\"2023-10-18T17:40:47.325Z\" TO \"2023-10-18T17:45:47.325Z\"])"
    ]
}

The section in bracket is not correctly generated. It is a bug in (?i) handling.

The [a-z]* should be unfolded as [a-zA-Z]*.

This occurs on stix-shifter 6.2.1 and 6.2.2 when we implemented (?i) for elastic_ecs.