From 26fe7dd2b276cedeefbadea5ce63c24475804a27 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 7 Sep 2022 10:22:36 +0900 Subject: [PATCH 1/4] changed channel convert from case-sensitive to insensitive #685 --- src/detections/detection.rs | 6 +++++- src/detections/message.rs | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 2f4e6207..c1267928 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -25,6 +25,7 @@ use crate::filter; use crate::yaml::ParseYaml; use hashbrown::HashMap; use serde_json::Value; +use std::ascii::AsciiExt; use std::fmt::Write; use std::path::Path; @@ -264,7 +265,10 @@ impl Detection { "%Channel%" => { profile_converter.insert( "%Channel%".to_string(), - CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(), + CH_CONFIG + .get(&ch_str.to_ascii_lowercase()) + .unwrap_or(ch_str) + .to_string(), ); } "%Level%" => { diff --git a/src/detections/message.rs b/src/detections/message.rs index e3a3d235..1335f682 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -105,10 +105,10 @@ pub fn create_output_filter_config(path: &str) -> HashMap { return; } - let tag_full_str = line[0].trim(); + let tag_full_str = line[0].trim().to_ascii_lowercase(); let tag_replace_str = line[1].trim(); - ret.insert(tag_full_str.to_owned(), tag_replace_str.to_owned()); + ret.insert(tag_full_str, tag_replace_str.to_owned()); }); ret } From a3faa89d41ea3dff1595806ecc073c177d04b8cb Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 7 Sep 2022 10:23:55 +0900 Subject: [PATCH 2/4] fixed test --- src/afterfact.rs | 2 +- src/detections/message.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 076e5578..4f6eb281 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -795,7 +795,7 @@ mod tests { ( "%Channel%".to_owned(), mock_ch_filter - .get("Security") + .get("security") .unwrap_or(&String::default()) .to_string(), ), diff --git a/src/detections/message.rs b/src/detections/message.rs index 1335f682..b3b63a91 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -599,7 +599,7 @@ mod tests { let actual = create_output_filter_config("test_files/config/channel_abbreviations.txt"); let actual2 = create_output_filter_config("test_files/config/channel_abbreviations.txt"); let expected: HashMap = HashMap::from([ - ("Security".to_string(), "Sec".to_string()), + ("security".to_string(), "Sec".to_string()), ("xxx".to_string(), "yyy".to_string()), ]); _check_hashmap_element(&expected, actual); From 576f34bcb0e21ad447a3a6dab2c0f1828bcf0637 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 7 Sep 2022 10:28:48 +0900 Subject: [PATCH 3/4] fixed test input code and removed unused import --- src/afterfact.rs | 2 +- src/detections/detection.rs | 1 - src/detections/message.rs | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 4f6eb281..4bf61ee6 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -795,7 +795,7 @@ mod tests { ( "%Channel%".to_owned(), mock_ch_filter - .get("security") + .get(&"Security".to_ascii_lowercase()) .unwrap_or(&String::default()) .to_string(), ), diff --git a/src/detections/detection.rs b/src/detections/detection.rs index c1267928..75e801de 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -25,7 +25,6 @@ use crate::filter; use crate::yaml::ParseYaml; use hashbrown::HashMap; use serde_json::Value; -use std::ascii::AsciiExt; use std::fmt::Write; use std::path::Path; diff --git a/src/detections/message.rs b/src/detections/message.rs index b3b63a91..fa374282 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -599,7 +599,7 @@ mod tests { let actual = create_output_filter_config("test_files/config/channel_abbreviations.txt"); let actual2 = create_output_filter_config("test_files/config/channel_abbreviations.txt"); let expected: HashMap = HashMap::from([ - ("security".to_string(), "Sec".to_string()), + ("Security".to_ascii_lowercase(), "Sec".to_string()), ("xxx".to_string(), "yyy".to_string()), ]); _check_hashmap_element(&expected, actual); From f4c4e03623cc10ddd7d537cb216bce6668e84736 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 7 Sep 2022 10:29:18 +0900 Subject: [PATCH 4/4] updated changelog #685 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 87180caa..e9398d53 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -11,6 +11,7 @@ - 結果概要に各レベルで検知した上位5つのルールを表示するようにした。 (#667) (@hitenkoku) - 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku) - 結果概要の表示を短縮させた。 (#675 #678) (@hitenkoku) +- channel_abbreviations.txtによるChannelフィールドのチェックを大文字小文字の区別をなくした。 (#685) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b02f742..cd145245 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ - Added top alerts to results summary. (#667) (@hitenkoku) - Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku) - Made the results summary more compact. (#675 #678) (@hitenkoku) +- Made Channel field in channel_abbreviations.txt case-insensitive. (#685) (@hitenkoku) **Bug Fixes:**