Improved test coverage and exceptions

sigma/correlations.py

@@ -2,7 +2,7 @@
 from enum import Enum, auto
 from typing import List, Optional
 import sigma.exceptions as sigma_exceptions
-from sigma.exceptions import SigmaRuleLocation
+from sigma.exceptions import SigmaRuleLocation, SigmaTimespanError
 from sigma.rule import EnumLowercaseStringMixin, SigmaRule, SigmaRuleBase
 
 
@@ -70,7 +70,7 @@ def to_dict(self) -> dict:
         return {self.op.name.lower(): self.count}
 
 
-def parse_timespan(timespan: str) -> int:
+def parse_timespan(timespan: str, source: Optional[SigmaRuleLocation] = None) -> int:
     """
     Parses a string representing a time span and returns the equivalent number of seconds.
 
@@ -97,7 +97,9 @@ def parse_timespan(timespan: str) -> int:
             }[timespan[-1]]
         )
     except (ValueError, KeyError):
-        raise sigma_exceptions.SigmaTimespanError(f"Timespan '{ timespan }' is invalid.")
+        raise sigma_exceptions.SigmaTimespanError(
+            f"Timespan '{ timespan }' is invalid.", source=source
+        )
 
 
 def seconds_to_timespan(seconds: int) -> str:
@@ -213,12 +215,8 @@ def from_dict(
         if timespan is not None:
             try:
                 timespan = parse_timespan(timespan)
-            except ValueError:
-                errors.append(
-                    sigma_exceptions.SigmaCorrelationTypeError(
-                        f"Sigma correlation rule with invalid timespan", source=source
-                    )
-                )
+            except SigmaTimespanError as e:
+                errors.append(e)
         else:
             errors.append(
                 sigma_exceptions.SigmaCorrelationRuleError(

sigma/exceptions.py

@@ -138,25 +138,25 @@ class SigmaPlaceholderError(SigmaValueError):
     pass
 
 
-class SigmaCorrelationTypeError(SigmaValueError):
-    """Wrong Sigma correlation type."""
+class SigmaCorrelationRuleError(SigmaValueError):
+    """Error in Sigma correlation rule."""
 
     pass
 
 
-class SigmaCorrelationRuleError(SigmaValueError):
-    """Error in Sigma correlation rule."""
+class SigmaCorrelationTypeError(SigmaCorrelationRuleError):
+    """Wrong Sigma correlation type."""
 
     pass
 
 
-class SigmaCorrelationConditionError(SigmaValueError):
+class SigmaCorrelationConditionError(SigmaCorrelationRuleError):
     """Error in Sigma correlation condition."""
 
     pass
 
 
-class SigmaTimespanError(Exception):
+class SigmaTimespanError(SigmaCorrelationRuleError):
     """Raised when the timespan for calculating sigma is invalid."""
 
     pass

tests/test_correlations.py

@@ -216,6 +216,21 @@ def test_correlation_invalid_timespan():
         )
 
 
+def test_correlation_without_timespan():
+    with pytest.raises(SigmaCorrelationRuleError, match="Sigma correlation rule without timespan"):
+        SigmaCorrelationRule.from_dict(
+            {
+                "name": "Invalid time span",
+                "correlation": {
+                    "type": "event_count",
+                    "rules": "failed_login",
+                    "group-by": ["user"],
+                    "condition": {"gte": 10},
+                },
+            }
+        )
+
+
 def test_correlation_invalid_ordered():
     with pytest.raises(
         SigmaCorrelationRuleError, match="Sigma correlation ordered definition must be boolean"
@@ -268,6 +283,18 @@ def test_correlation_without_condition():
         )
 
 
+def test_correlation_without_condition_post_init_check():
+    with pytest.raises(SigmaCorrelationRuleError, match="Sigma correlation rule without condition"):
+        SigmaCorrelationRule(
+            type=SigmaCorrelationType.EVENT_COUNT,
+            rules=[SigmaRuleReference("failed_login")],
+            timespan=600,
+            group_by=["user"],
+            ordered=False,
+            condition=None,
+        )
+
+
 def test_correlation_to_dict():
     rule = SigmaCorrelationRule.from_dict(
         {