add rule parser

2025-12-10 11:12:58 +01:00 · 2025-03-09 20:06:34 +09:00
parent 9eea741d11
commit ab94b6c6c5
3 changed files with 3435 additions and 0 deletions
--- a/wela-extractor/Cargo.toml
+++ b/wela-extractor/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "wela-extractor"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+csv = "1.3.*"
+yaml-rust2 = "0.10.*"
+walkdir = "2.*"
+serde_json = "*"
--- a/wela-extractor/hayabusa_rules_meta.json
+++ b/wela-extractor/hayabusa_rules_meta.json
--- a/wela-extractor/src/main.rs
+++ b/wela-extractor/src/main.rs
@@ -0,0 +1,136 @@
+use csv::ReaderBuilder;
+use std::error::Error;
+use std::{env, fs};
+use std::fs::write;
+use serde_json::{json, Value};
+use walkdir::WalkDir;
+use yaml_rust2::{Yaml, YamlLoader};
+
+fn list_yml_files(dir: &str) -> Vec<String> {
+    let mut yml_files = Vec::new();
+    for entry in WalkDir::new(dir).into_iter().filter_map(|e| e.ok()) {
+        let path = entry.path();
+        if path.is_file() && path.extension().and_then(|ext| ext.to_str()) == Some("yml") {
+            if let Some(path_str) = path.to_str() {
+                yml_files.push(path_str.to_string());
+            }
+        }
+    }
+
+    yml_files
+}
+
+fn extract_event_ids(yaml: &Yaml, event_ids: &mut Vec<String>) {
+    match yaml {
+        Yaml::Hash(hash) => {
+            for (key, value) in hash {
+                if key.as_str() == Some("EventID") {
+                    match value {
+                        Yaml::Array(ids) => {
+                            for id in ids {
+                                if let Some(id) = id.as_i64() {
+                                    event_ids.push(id.to_string());
+                                } else if let Some(id) = id.as_str() {
+                                    event_ids.push(id.to_string());
+                                }
+                            }
+                        }
+                        Yaml::String(id) => {
+                            event_ids.push(id.clone());
+                        }
+                        Yaml::Integer(id) => {
+                            event_ids.push(id.to_string());
+                        }
+                        _ => {}
+                    }
+                } else {
+                    extract_event_ids(value, event_ids);
+                }
+            }
+        }
+        Yaml::Array(array) => {
+            for item in array {
+                extract_event_ids(item, event_ids);
+            }
+        }
+        _ => {}
+    }
+}
+
+fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
+    if let Some(logsource) = doc["logsource"].as_hash() {
+        if let Some(service) = logsource.get(&Yaml::from_str("service")) {
+            if service.as_str() == Some("security") {
+                let uuid = doc["id"].as_str().unwrap_or("No UUID");
+                let title = doc["title"].as_str().unwrap_or("No title");
+                let desc = doc["description"].as_str().unwrap_or("No description");
+                let level = doc["level"].as_str().unwrap_or("No level");
+                let mut event_ids = Vec::new();
+                extract_event_ids(&doc, &mut event_ids);
+                let mut subcategories = Vec::new();
+                for event_id in &event_ids {
+                    for (eid, subcategory) in eid_subcategory_pair {
+                        if eid == event_id {
+                            subcategories.push(subcategory.clone());
+                        }
+                    }
+                }
+                return Some(json!({
+                    "id": uuid,
+                    "title": title,
+                    "description": desc,
+                    "level": level,
+                    "event_ids": event_ids,
+                    "subcategory_guids": subcategories
+                }));
+            }
+        }
+    }
+    None
+}
+
+fn load_event_id_guid_pairs(file_path: &str) -> Result<Vec<(String, String)>, Box<dyn Error>> {
+    let mut rdr = ReaderBuilder::new()
+        .has_headers(true)
+        .from_path(file_path)?;
+
+    let mut pairs = Vec::new();
+    for result in rdr.records() {
+        let record = result?;
+        let event_id = record.get(0).unwrap_or("").to_string();
+        let guid = record.get(3).unwrap_or("").to_string();
+        if !event_id.is_empty() && !guid.is_empty() {
+            pairs.push((event_id, guid));
+        }
+    }
+    Ok(pairs)
+}
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let args: Vec<String> = env::args().collect();
+    if args.len() != 3 {
+        eprintln!("Usage: {} <file_path> <dir>", args[0]);
+        std::process::exit(1);
+    }
+
+    let file_path = &args[1];
+    let eid_subcategory_pair = load_event_id_guid_pairs(file_path).unwrap();
+
+    let dir = &args[2];
+    let yml_files = list_yml_files(dir);
+    let mut results = Vec::new();
+
+    for file in yml_files {
+        let contents = fs::read_to_string(&file).expect("Unable to read file");
+        let docs = YamlLoader::load_from_str(&contents).expect("Unable to parse YAML");
+        for doc in docs {
+            if let Some(res) = parse_yaml(doc, &eid_subcategory_pair) {
+                results.push(res);
+            }
+        }
+    }
+
+    let json_output = serde_json::to_string_pretty(&results)?;
+    write("../config/hayabusa_rules_meta.json", json_output)?;
+    Ok(())
+}