diff --git a/src/detections/detection.rs b/src/detections/detection.rs index c6d8682e..3c9968bf 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -6,7 +6,7 @@ use crate::detections::print::AlertMessage; use crate::detections::print::DetectInfo; use crate::detections::print::ERROR_LOG_STACK; use crate::detections::print::MESSAGES; -use crate::detections::print::{CH_CONFIG, IS_HIDE_RECORD_ID, TAGS_CONFIG, DEFAULT_DETAILS}; +use crate::detections::print::{CH_CONFIG, DEFAULT_DETAILS, IS_HIDE_RECORD_ID, TAGS_CONFIG}; use crate::detections::print::{ LOGONSUMMARY_FLAG, PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG, STATISTICS_FLAG, }; @@ -236,8 +236,12 @@ impl Detection { }; let ch_str = &get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"]) .unwrap_or_default(); - let eid = get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]).unwrap_or_else(|| "-".to_owned()); - let default_output = DEFAULT_DETAILS.get(&format!("{}_{}",ch_str, &eid)).unwrap_or(&"-".to_string()).to_string(); + let eid = get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]) + .unwrap_or_else(|| "-".to_owned()); + let default_output = DEFAULT_DETAILS + .get(&format!("{}_{}", ch_str, &eid)) + .unwrap_or(&"-".to_string()) + .to_string(); let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), rulepath: rule.rulepath.to_string(), @@ -255,7 +259,10 @@ impl Detection { }; MESSAGES.lock().unwrap().insert( &record_info.record, - rule.yaml["details"].as_str().unwrap_or(&default_output).to_string(), + rule.yaml["details"] + .as_str() + .unwrap_or(&default_output) + .to_string(), detect_info, ); } diff --git a/src/detections/print.rs b/src/detections/print.rs index 9bd9c221..75443ba2 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -228,35 +228,61 @@ impl Message { /// detailsのdefault値をファイルから読み取る関数 pub fn get_default_details() -> HashMap { - let read_result = utils::read_csv(&format!("{}/default_details.txt", configs::CONFIG.read().unwrap().args.config.as_path().display())); + let read_result = utils::read_csv(&format!( + "{}/default_details.txt", + configs::CONFIG + .read() + .unwrap() + .args + .config + .as_path() + .display() + )); match read_result { Err(_e) => { AlertMessage::alert(&_e).ok(); HashMap::new() - }, + } Ok(lines) => { - let mut ret:HashMap = HashMap::new(); - lines.into_iter().try_for_each(|line| -> Result<(), String> { - let provider = match line.get(0) { - Some(_provider) => _provider.trim(), - _ => return Result::Err("Failed to read provider in default_details.txt.".to_string()) - }; - let eid = match line.get(1) { - Some(eid_str) => { - match eid_str.trim().parse::() { - Ok(_eid) => _eid, - _ => return Result::Err("Parse Error EventID in default_details.txt.".to_string()) + let mut ret: HashMap = HashMap::new(); + lines + .into_iter() + .try_for_each(|line| -> Result<(), String> { + let provider = match line.get(0) { + Some(_provider) => _provider.trim(), + _ => { + return Result::Err( + "Failed to read provider in default_details.txt.".to_string(), + ) } - }, - _ => return Result::Err("Failed to read EventID in default_details.txt.".to_string()) - }; - let details = match line.get(2) { - Some(detail) => detail.trim(), - _ => return Result::Err("Failed to read details in default_details.txt.".to_string()) - }; - ret.insert(format!("{}_{}", provider, eid), details.to_string()); - Ok(()) - }).ok(); + }; + let eid = match line.get(1) { + Some(eid_str) => match eid_str.trim().parse::() { + Ok(_eid) => _eid, + _ => { + return Result::Err( + "Parse Error EventID in default_details.txt.".to_string(), + ) + } + }, + _ => { + return Result::Err( + "Failed to read EventID in default_details.txt.".to_string(), + ) + } + }; + let details = match line.get(2) { + Some(detail) => detail.trim(), + _ => { + return Result::Err( + "Failed to read details in default_details.txt.".to_string(), + ) + } + }; + ret.insert(format!("{}_{}", provider, eid), details.to_string()); + Ok(()) + }) + .ok(); ret } }