From 7b7463c50101b13e774443c86a2700889d785bae Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Sun, 1 Mar 2026 21:23:41 +0100
Subject: [PATCH 1/3] remove special regex character usage in
 log_format_utils/generate_logformat_regex (* still works).

---
 src/detectmatelibrary/utils/log_format_utils.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/detectmatelibrary/utils/log_format_utils.py b/src/detectmatelibrary/utils/log_format_utils.py
index 5f7c04e..0e2a2b2 100644
--- a/src/detectmatelibrary/utils/log_format_utils.py
+++ b/src/detectmatelibrary/utils/log_format_utils.py
@@ -44,10 +44,10 @@ def generate_logformat_regex(log_format: str) -> Tuple[list[str], re.Pattern[str
     headers = []
     splitters = re.split(r'(<[^<>]+>)', log_format)
     regex_str = ''
-    for k in range(len(splitters)):
+    for k, part in enumerate(splitters):
         if k % 2 == 0:
-            splitter = re.sub(r' +', r'\\s+', splitters[k])
-            regex_str += splitter
+            escaped = ''.join('\\' + c if c in '().[]{}?+|^$\\' else c for c in part)
+            regex_str += re.sub(r' +', r'\\s+', escaped)
         else:
             header = splitters[k].strip('<').strip('>')
             regex_str += '(?P<%s>.*?)' % header

From a54c431c91cadd3b530f57d82d0ba78b63161814 Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Sun, 8 Mar 2026 21:10:10 +0100
Subject: [PATCH 2/3] fix pipeline config to use correct log_format.

---
 config/pipeline_config_default.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/pipeline_config_default.yaml b/config/pipeline_config_default.yaml
index cae7992..0475495 100644
--- a/config/pipeline_config_default.yaml
+++ b/config/pipeline_config_default.yaml
@@ -2,7 +2,7 @@ parsers:
     MatcherParser:
         method_type: matcher_parser
         auto_config: False
-        log_format: "type=<Type> msg=audit(<Time>): <Content>"
+        log_format: "type=<Type> msg=audit(<Time>:*): <Content>"
         time_format: null
         params:
             remove_spaces: True

From 14b390110c0cdf31fa8bcb0e03aee64c91e46252 Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Sun, 8 Mar 2026 23:04:28 +0100
Subject: [PATCH 3/3] fix new value detector test.

---
 tests/test_detectors/test_new_value_detector.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_detectors/test_new_value_detector.py b/tests/test_detectors/test_new_value_detector.py
index 4ba7729..cf2ed70 100644
--- a/tests/test_detectors/test_new_value_detector.py
+++ b/tests/test_detectors/test_new_value_detector.py
@@ -197,7 +197,7 @@ def test_detect_known_value_alert(self):
         "MatcherParser": {
             "method_type": "matcher_parser",
             "auto_config": False,
-            "log_format": "type=<Type> msg=audit\\(<Time>\\): <Content>",
+            "log_format": "type=<Type> msg=audit(<Time>): <Content>",
             "time_format": None,
             "params": {
                 "remove_spaces": True,