Update: read messages from rules/**.toml

2020-10-29 23:00:55 +09:00
parent c53b4b6f46
commit 1d8a9c19d2
8 changed files with 61 additions and 10 deletions
--- a/src/detections/powershell.rs
+++ b/src/detections/powershell.rs
@@ -1,8 +1,8 @@
 use crate::detections::utils;
 use crate::models::event;
+use crate::detections::print::MESSAGES;
 use regex::Regex;
 use std::collections::HashMap;
-extern crate csv;

 pub struct PowerShell {}

@@ -25,6 +25,10 @@ impl PowerShell {
        if event_id != "4103" {
            return;
        }
+
+        let message = MESSAGES.lock().unwrap();
+        println!("{}", message.return_message("4103"));
+
        let default = String::from("");
        let commandline = event_data.get("ContextInfo").unwrap_or(&default);

@@ -48,6 +52,9 @@ impl PowerShell {
        if event_id != "4104" {
            return;
        }
+        let message = MESSAGES.lock().unwrap();
+        println!("{}", message.return_message("4104"));
+
        let default = String::from("");
        let path = event_data.get("Path").unwrap().to_string();
        if path == "".to_string() {
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -1,18 +1,20 @@
+extern crate lazy_static;
 use crate::detections::configs::{get_lang, Lang};
 use std::collections::HashMap;
+use crate::models::rule::MessageText;
+use lazy_static::lazy_static;
 use std::fmt;
-
-#[derive(Debug)]
-pub struct MessageText {
-    pub ja: String,
-    pub en: String,
-}
+use std::sync::Mutex;

 #[derive(Debug)]
 pub struct Message {
    map: HashMap<String, MessageText>,
 }

+lazy_static! {
+    pub static ref MESSAGES: Mutex<Message> = Mutex::new(Message::new());
+}
+
 impl Message {
    pub fn new() -> Self {
        let mut messages: HashMap<String, MessageText> = HashMap::new();
@@ -33,7 +35,9 @@ impl Message {

    /// メッセージを返す
    pub fn return_message(&self, message_num: &str) -> &MessageText {
-        self.map.get(message_num).unwrap_or(self.map.get("undefined").unwrap())
+        self.map
+            .get(message_num)
+            .unwrap_or(self.map.get("undefined").unwrap())
    }
 }

@@ -60,7 +64,10 @@ fn test_create_and_read_message() {
        },
    );

-    let display = format!("{}", format_args!("{}", error_message.return_message("4103")));
+    let display = format!(
+        "{}",
+        format_args!("{}", error_message.return_message("4103"))
+    );

    assert_eq!(display, "Execute pipeline")
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -5,12 +5,28 @@ use quick_xml::de::DeError;
 use std::{fs, path::PathBuf, process};
 use yamato_event_analyzer::detections::configs;
 use yamato_event_analyzer::detections::detection;
-use yamato_event_analyzer::detections::print;
+use yamato_event_analyzer::detections::print::MESSAGES;
 use yamato_event_analyzer::omikuji::Omikuji;
 use yamato_event_analyzer::toml;

 fn main() -> Result<(), DeError> {
    configs::singleton();
+    let mut toml = toml::ParseToml::new();
+    &toml.read_dir("rules".to_string());
+
+    for rule in toml.rules {
+        match rule {
+            Ok(_rule) => {
+                let mut message = MESSAGES.lock().unwrap();
+                if let Some(messages) = _rule.rule.messages {
+                    for (key, texts) in messages {
+                        message.insert_message(key, texts);
+                    }
+                }
+            }
+            Err(_) => (),
+        }
+    }

    let filepath: String = configs::singleton()
        .args
--- a/src/models/rule.rs
+++ b/src/models/rule.rs
@@ -5,6 +5,13 @@ use serde::Deserialize;
 pub struct Rule {
    pub severity: Option<String>,
    pub name: Option<String>,
+    pub messages: Option<Vec<(String, MessageText)>>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct MessageText {
+    pub ja: String,
+    pub en: String,
 }

 #[derive(Debug, Deserialize)]