fix applocker

2020-10-31 19:06:36 +09:00
parent a8b8cc3229
commit 4649ff97b3
2 changed files with 24 additions and 19 deletions
@@ -1,4 +1,7 @@
+extern crate regex;
+
 use crate::models::event;
+use regex::Regex;
 use std::collections::HashMap;

 pub struct AppLocker {}
@@ -11,39 +14,40 @@ impl AppLocker {
    pub fn detection(
        &mut self,
        event_id: String,
-        AppLocker: &event::AppLocker,
-        event_data: HashMap<String, String>,
+        _system: &event::System,
+        _event_data: HashMap<String, String>,
    ) {
-        if event_id == "8003" {
-            &self.AppLocker_log_warning();
-        } else if event_id == "8004" {
-            &self.AppLocker_log_block(event_data);
-        }
-        // -- Not Implemented 8006 and 8007 on DeepBlueCLI, but reserved these ID. -- 
-        //
-        //} else if event_id == "8006" {
-        //    &self.windows_event_log(event_data);
-        //} else if event_id == "8007" {
-        //    &self.windows_event_log(event_data);
-        //}
+        self.appLocker_log_warning(&event_id, &_system);
+        self.appLocker_log_block(&event_id, &_system);
    }

-    fn AppLocker_log_warning(&mut self, applocker: &event::AppLocker) {
+    fn appLocker_log_warning(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "8003" {
+            return;
+        }
+
        let re = Regex::new(r" was .*$").unwrap();
-        let command = re.replace_all(message, "");
+        let default = "".to_string();
+        let message = &system.message.as_ref().unwrap_or(&default);
+        let command = re.replace_all(&message, "");

        println!("Message Applocker Warning");
        println!("Command : {}", command);
        println!("Results : {}", message);
    }

-    fn AppLocker_log_block(&mut self, applocker: &event::AppLocker) {
+    fn appLocker_log_block(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "8004" {
+            return;
+        }
+
        let re = Regex::new(r" was .*$").unwrap();
-        let command = re.replace_all(message, "");
+        let default = "".to_string();
+        let message = &system.message.as_ref().unwrap_or(&default);
+        let command = re.replace_all(&message, "");

        println!("Message Applocker Block");
        println!("Command : {}", command);
        println!("Results : {}", message);
    }
-
 }
@@ -1,4 +1,5 @@
 mod application;
+mod applocker;
 mod common;
 mod configs;
 pub mod detection;