From 056e63ce5a9937b196dbbabcf5f145fcb06be33c Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 11 Jun 2022 02:55:20 +0900 Subject: [PATCH] output status field summary #583 --- src/detections/detection.rs | 33 +++++++++++------------ src/yaml.rs | 52 +++++++++++++++++++++++++------------ 2 files changed, 52 insertions(+), 33 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 05ff4aa5..f99525e0 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -13,7 +13,7 @@ use crate::detections::print::{CH_CONFIG, IS_DISPLAY_RECORD_ID, TAGS_CONFIG}; use crate::detections::rule; use crate::detections::rule::AggResult; use crate::detections::rule::RuleNode; -use crate::detections::utils::get_serde_number_to_string; +use crate::detections::utils::{get_serde_number_to_string, make_ascii_titlecase}; use crate::filter; use crate::yaml::ParseYaml; use hashbrown; @@ -126,12 +126,12 @@ impl Detection { .args .is_present("logon-summary") { + let _ = &rulefile_loader + .rule_load_status_cnt + .insert(String::from("rule parsing error"), parseerror_count); Detection::print_rule_load_info( &rulefile_loader.rulecounter, - &parseerror_count, - &rulefile_loader.exclude_rule_count, - &rulefile_loader.noisy_rule_count, - &rulefile_loader.deprecate_rule_count, + &rulefile_loader.rule_load_status_cnt, ); } ret @@ -353,21 +353,22 @@ impl Detection { ret } - pub fn print_rule_load_info( - rc: &HashMap, - parseerror_count: &u128, - exclude_count: &u128, - noisy_count: &u128, - deprecate_count: &u128, - ) { + pub fn print_rule_load_info(rc: &HashMap, st_rc: &HashMap) { if *STATISTICS_FLAG { return; } - println!("Deprecated rules: {}", deprecate_count); - println!("Excluded rules: {}", exclude_count); - println!("Noisy rules: {}", noisy_count); - println!("Rule parsing errors: {}", parseerror_count); + let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect(); + sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0)); + sorted_st_rc.into_iter().for_each(|(key, value)| { + //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する + println!( + "{} rules: {}", + make_ascii_titlecase(key.clone().as_mut()), + value + ); + }); println!(); + let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect(); sorted_rc.sort_by(|a, b| a.0.cmp(b.0)); let mut enable_total = 0; diff --git a/src/yaml.rs b/src/yaml.rs index db853afb..3d0a19a2 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -18,9 +18,7 @@ use yaml_rust::YamlLoader; pub struct ParseYaml { pub files: Vec<(String, yaml_rust::Yaml)>, pub rulecounter: HashMap, - pub exclude_rule_count: u128, - pub noisy_rule_count: u128, - pub deprecate_rule_count: u128, + pub rule_load_status_cnt: HashMap, pub errorrule_count: u128, } @@ -35,9 +33,11 @@ impl ParseYaml { ParseYaml { files: Vec::new(), rulecounter: HashMap::new(), - exclude_rule_count: 0, - noisy_rule_count: 0, - deprecate_rule_count: 0, + rule_load_status_cnt: HashMap::from([ + ("excluded".to_string(), 0_u128), + ("noisy".to_string(), 0_u128), + ("deprecate".to_string(), 0_u128), + ]), errorrule_count: 0, } } @@ -221,19 +221,22 @@ impl ParseYaml { //除外されたルールは無視する let rule_id = &yaml_doc["id"].as_str(); if rule_id.is_some() { - match exclude_ids + if let Some(v) = exclude_ids .no_use_rule - .get(&rule_id.unwrap_or("").to_string()) + .get(&rule_id.unwrap_or(&String::default()).to_string()) { - None => (), - Some(v) => { - if v.contains("exclude_rule") { - self.exclude_rule_count += 1; - } else { - self.noisy_rule_count += 1; - } - return Option::None; + let entry_key; + if v.contains("exclude_rule") { + entry_key = "excluded"; + } else { + entry_key = "noisy"; } + let entry = self + .rule_load_status_cnt + .entry(entry_key.to_string()) + .or_insert(0); + *entry += 1; + return Option::None; } } @@ -245,6 +248,17 @@ impl ParseYaml { + 1, ); + let status_cnt = self + .rule_load_status_cnt + .entry( + yaml_doc["status"] + .as_str() + .unwrap_or("Undefined") + .to_string(), + ) + .or_insert(0); + *status_cnt += 1; + if configs::CONFIG.read().unwrap().args.is_present("verbose") { println!("Loaded yml file path: {}", filepath); } @@ -269,7 +283,11 @@ impl ParseYaml { { let rule_status = &yaml_doc["status"].as_str().unwrap_or_default(); if *rule_status == "deprecated" { - self.deprecate_rule_count += 1; + let entry = self + .rule_load_status_cnt + .entry(rule_status.to_string()) + .or_insert(0); + *entry += 1; return Option::None; } }