Merge pull request #1538 from Yamato-Security/1537-fix-expand-rule-pa…

…rse-error fix: rule parse error when config/expand does not exist
Yamato-Security · Dec 27, 2024 · e23c9f0 · e23c9f0
2 parents daf0629 + f428350
commit e23c9f0
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs
@@ -568,6 +568,7 @@ pub enum PipeElement {
     ReMultiLine,
     ReSingleLine,
     Wildcard,
+    Expand,
     Exists(String, String),
     EqualsField(String),
     Endswithfield(String),
@@ -607,6 +608,7 @@ impl PipeElement {
             "remultiline" => Some(PipeElement::ReMultiLine),
             "equalsfield" => Some(PipeElement::EqualsField(pattern.to_string())),
             "endswithfield" => Some(PipeElement::Endswithfield(pattern.to_string())),
+            "expand" => Some(PipeElement::Expand),
             "fieldref" => Some(PipeElement::FieldRef(pattern.to_string())),
             "fieldrefstartswith" => Some(PipeElement::FieldRefStartswith(pattern.to_string())),
             "fieldrefendswith" => Some(PipeElement::FieldRefEndswith(pattern.to_string())),