add check_regex() and check_creater()

src/detections/mod.rs

@@ -3,3 +3,4 @@ mod common;
 pub mod detection;
 mod security;
 mod system;
+mod utils;

src/detections/security.rs

@@ -42,7 +42,6 @@ impl Security {
     // Special privileges assigned to new logon (possible admin access)
     //
     fn se_debug_privilege(&mut self, event_data: HashMap<String, String>) {
-
         if let Some(privileage_list) = event_data.get("PrivilegeList") {
             if let Some(_data) = privileage_list.find("SeDebugPrivilege") {
                 // alert_all_adminが有効であれば、標準出力して知らせる
@@ -72,10 +71,8 @@ impl Security {
                                 event_data["SubjectUserSid"].to_string(),
                                 sid[&event_data["SubjectUserSid"]] + 1,
                             );
-                            self.admin_logons.insert(
-                                event_data["SubjectUserName"].to_string(),
-                                count_hash,
-                            );
+                            self.admin_logons
+                                .insert(event_data["SubjectUserName"].to_string(), count_hash);
                         }
                     }
                     None => {

src/detections/utils.rs

@@ -0,0 +1,57 @@
+extern crate csv;
+use std::env;
+use std::fs::File;
+use std::io::prelude::*;
+use std::string::String;
+
+pub fn check_command() {}
+
+fn check_regex(string: &str, r#type: &str) -> std::string::String {
+    let mut f = File::open("regexes.txt").expect("file not found");
+    let mut contents = String::new();
+    f.read_to_string(&mut contents);
+
+    let mut rdr = csv::Reader::from_reader(contents.as_bytes());
+
+    let mut regextext = "".to_string();
+    for regex in rdr.records() {
+        match regex {
+            /*
+            data[0] is type.
+            data[1] is regex.
+            data[2] is string.
+            */
+            Ok(_data) => {
+                if &_data[0] == r#type && &_data[1] == string {
+                    regextext.push_str(&_data[2]);
+                    regextext.push_str("\n");
+                }
+            }
+            Err(_data) => (),
+        }
+    }
+    return regextext;
+}
+
+fn check_creator(command: &str, creator: &str) -> std::string::String {
+    let mut creatortext = "".to_string();
+    if (!creator.is_empty()) {
+        if (command == "powershell") {
+            if (creator == "PSEXESVC") {
+                creatortext.push_str("PowerShell launched via PsExec: $creator\n");
+            } else if (creator == "WmiPrvSE") {
+                creatortext.push_str("PowerShell launched via WMI: $creator\n");
+            }
+        }
+    }
+    return creatortext;
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::detections::utils;
+    #[test]
+    fn test_check_regex() {
+        let result = utils::check_regex("test", "0");
+    }
+}