diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 3b6b8502..27d98c69 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -1286,6 +1286,48 @@ mod tests { } } + #[test] + fn test_detect_startswith_case_insensitive() { + // startswithが大文字小文字を区別しないことを確認 + let rule_str = r#" + enabled: true + detection: + selection: + Channel: Security + EventID: 4732 + TargetUserName|startswith: "ADMINISTRATORS" + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + "#; + + let record_json_str = r#" + { + "Event": { + "System": { + "EventID": 4732, + "Channel": "Security" + }, + "EventData": { + "TargetUserName": "TestAdministrators" + } + }, + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + } + }"#; + + let mut rule_node = parse_rule_from_str(rule_str); + match serde_json::from_str(record_json_str) { + Ok(record) => { + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); + assert!(!rule_node.select(&recinfo)); + } + Err(_rec) => { + panic!("Failed to parse json record."); + } + } + } + #[test] fn test_detect_endswith1() { // endswithが正しく検知できることを確認 @@ -1370,6 +1412,48 @@ mod tests { } } + #[test] + fn test_detect_endswith_case_insensitive() { + // endswithが大文字小文字を区別せず検知するかを確認するテスト + let rule_str = r#" + enabled: true + detection: + selection: + Channel: Security + EventID: 4732 + TargetUserName|endswith: "ADministRATORS" + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + "#; + + let record_json_str = r#" + { + "Event": { + "System": { + "EventID": 4732, + "Channel": "Security" + }, + "EventData": { + "TargetUserName": "AdministratorsTest" + } + }, + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + } + }"#; + + let mut rule_node = parse_rule_from_str(rule_str); + match serde_json::from_str(record_json_str) { + Ok(record) => { + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); + assert!(!rule_node.select(&recinfo)); + } + Err(_rec) => { + panic!("Failed to parse json record."); + } + } + } + #[test] fn test_detect_contains1() { // containsが正しく検知できることを確認 @@ -1454,6 +1538,48 @@ mod tests { } } + #[test] + fn test_detect_contains_case_insensitive() { + // containsが大文字小文字を区別せずに検知することを確認するテスト + let rule_str = r#" + enabled: true + detection: + selection: + Channel: Security + EventID: 4732 + TargetUserName|contains: "ADminIstraTOrS" + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + "#; + + let record_json_str = r#" + { + "Event": { + "System": { + "EventID": 4732, + "Channel": "Security" + }, + "EventData": { + "TargetUserName": "Testministrators" + } + }, + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + } + }"#; + + let mut rule_node = parse_rule_from_str(rule_str); + match serde_json::from_str(record_json_str) { + Ok(record) => { + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); + assert!(!rule_node.select(&recinfo)); + } + Err(_rec) => { + panic!("Failed to parse json record."); + } + } + } + #[test] fn test_detect_wildcard_multibyte() { // multi byteの確認