output status field summary #583

src/detections/detection.rs

@@ -13,7 +13,7 @@ use crate::detections::print::{CH_CONFIG, IS_DISPLAY_RECORD_ID, TAGS_CONFIG};
 use crate::detections::rule;
 use crate::detections::rule::AggResult;
 use crate::detections::rule::RuleNode;
-use crate::detections::utils::get_serde_number_to_string;
+use crate::detections::utils::{get_serde_number_to_string, make_ascii_titlecase};
 use crate::filter;
 use crate::yaml::ParseYaml;
 use hashbrown;
@@ -126,12 +126,12 @@ impl Detection {
             .args
             .is_present("logon-summary")
         {
+            let _ = &rulefile_loader
+                .rule_load_status_cnt
+                .insert(String::from("rule parsing error"), parseerror_count);
             Detection::print_rule_load_info(
                 &rulefile_loader.rulecounter,
-                &parseerror_count,
-                &rulefile_loader.exclude_rule_count,
-                &rulefile_loader.noisy_rule_count,
-                &rulefile_loader.deprecate_rule_count,
+                &rulefile_loader.rule_load_status_cnt,
             );
         }
         ret
@@ -353,21 +353,22 @@ impl Detection {
         ret
     }
 
-    pub fn print_rule_load_info(
-        rc: &HashMap<String, u128>,
-        parseerror_count: &u128,
-        exclude_count: &u128,
-        noisy_count: &u128,
-        deprecate_count: &u128,
-    ) {
+    pub fn print_rule_load_info(rc: &HashMap<String, u128>, st_rc: &HashMap<String, u128>) {
         if *STATISTICS_FLAG {
             return;
         }
-        println!("Deprecated rules: {}", deprecate_count);
-        println!("Excluded rules: {}", exclude_count);
-        println!("Noisy rules: {}", noisy_count);
-        println!("Rule parsing errors: {}", parseerror_count);
+        let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect();
+        sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0));
+        sorted_st_rc.into_iter().for_each(|(key, value)| {
+            //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する
+            println!(
+                "{} rules: {}",
+                make_ascii_titlecase(key.clone().as_mut()),
+                value
+            );
+        });
         println!();
+
         let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect();
         sorted_rc.sort_by(|a, b| a.0.cmp(b.0));
         let mut enable_total = 0;

src/yaml.rs

@@ -18,9 +18,7 @@ use yaml_rust::YamlLoader;
 pub struct ParseYaml {
     pub files: Vec<(String, yaml_rust::Yaml)>,
     pub rulecounter: HashMap<String, u128>,
-    pub exclude_rule_count: u128,
-    pub noisy_rule_count: u128,
-    pub deprecate_rule_count: u128,
+    pub rule_load_status_cnt: HashMap<String, u128>,
     pub errorrule_count: u128,
 }
 
@@ -35,9 +33,11 @@ impl ParseYaml {
         ParseYaml {
             files: Vec::new(),
             rulecounter: HashMap::new(),
-            exclude_rule_count: 0,
-            noisy_rule_count: 0,
-            deprecate_rule_count: 0,
+            rule_load_status_cnt: HashMap::from([
+                ("excluded".to_string(), 0_u128),
+                ("noisy".to_string(), 0_u128),
+                ("deprecate".to_string(), 0_u128),
+            ]),
             errorrule_count: 0,
         }
     }
@@ -221,19 +221,22 @@ impl ParseYaml {
                 //除外されたルールは無視する
                 let rule_id = &yaml_doc["id"].as_str();
                 if rule_id.is_some() {
-                    match exclude_ids
+                    if let Some(v) = exclude_ids
                         .no_use_rule
-                        .get(&rule_id.unwrap_or("").to_string())
+                        .get(&rule_id.unwrap_or(&String::default()).to_string())
                     {
-                        None => (),
-                        Some(v) => {
-                            if v.contains("exclude_rule") {
-                                self.exclude_rule_count += 1;
-                            } else {
-                                self.noisy_rule_count += 1;
-                            }
-                            return Option::None;
+                        let entry_key;
+                        if v.contains("exclude_rule") {
+                            entry_key = "excluded";
+                        } else {
+                            entry_key = "noisy";
                         }
+                        let entry = self
+                            .rule_load_status_cnt
+                            .entry(entry_key.to_string())
+                            .or_insert(0);
+                        *entry += 1;
+                        return Option::None;
                     }
                 }
 
@@ -245,6 +248,17 @@ impl ParseYaml {
                         + 1,
                 );
 
+                let status_cnt = self
+                    .rule_load_status_cnt
+                    .entry(
+                        yaml_doc["status"]
+                            .as_str()
+                            .unwrap_or("Undefined")
+                            .to_string(),
+                    )
+                    .or_insert(0);
+                *status_cnt += 1;
+
                 if configs::CONFIG.read().unwrap().args.is_present("verbose") {
                     println!("Loaded yml file path: {}", filepath);
                 }
@@ -269,7 +283,11 @@ impl ParseYaml {
                 {
                     let rule_status = &yaml_doc["status"].as_str().unwrap_or_default();
                     if *rule_status == "deprecated" {
-                        self.deprecate_rule_count += 1;
+                        let entry = self
+                            .rule_load_status_cnt
+                            .entry(rule_status.to_string())
+                            .or_insert(0);
+                        *entry += 1;
                         return Option::None;
                     }
                 }