Gracefully handle rules containing invalid search conditions

[bradleyjkemp]

Currently sigma-go panics when given a rule that looks like this:

detection:
    someCondition:
        foo: bar
    condition: nonExistentCondition

This panic happens here:

sigma-go/evaluator/evaluate_search.go

Line 41 in fe36bd7

panic("invalid search identifier")

Instead this function should be extended so that it can return an error back to the caller

[veramine]

I hit something similar on a sigma project rule with the following definition:

detection:
    selection:
        Image|endswith: '\3proxy.exe'
    selection_pe:
        Description: '3proxy - tiny proxy server'
    selection_params: # param combos seen in the wild
        CommandLine|contains: '.exe -i127.0.0.1 -p'
    condition: 1 of selection

Error was:

panic: unhandled node type sigma.OneOfIdentifier

goroutine 9 [running]:
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.evaluateSearchExpression({{{0x14000639e70, 0xc}, {{0x140008de4f0, 0x10}, {0x140008de5a0, 0x7}, {0x0, 0x0}, {0x0, 0x0}, ...}, ...}, ...}, ...)
	/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate_search.go:83 +0x314
github.com/bradleyjkemp/sigma-go/evaluator.RuleEvaluator.Matches({{{0x14000639e70, 0xc}, {{0x140008de4f0, 0x10}, {0x140008de5a0, 0x7}, {0x0, 0x0}, {0x0, 0x0}, ...}, ...}, ...}, ...)
	/Users/jness/v/onprem/pkg/mod/github.com/bradleyjkemp/[email protected]/evaluator/evaluate.go:109 +0x2e8

I'll file an issue on the Sigma project rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml