fixed detection lack when tab and enter control character in event record#395 (#396)

* fixed no detected bug when enter and tab control character in record data #395 * added remove \r \n \t character in utils.rs * added call of utils.rs function in selectionnodes.rs * added tests #395 * changed space control character function args #395 * fixed test due to function args changes #395 * changed replace method using regex #395 * changed regex by record_data_filter.txt #395 * added record_data_filter.txt #395 * fixed test #395 * added record_data_filter - add Properties regex - add ScriptBlockText regex - add Payload regex
2022-02-17 05:07:15 +09:00
parent 0a559da580
commit 58017e971f
5 changed files with 162 additions and 7 deletions
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -2,6 +2,8 @@ extern crate lazy_static;
 use crate::detections::configs;
 use crate::detections::utils;
 use crate::detections::utils::get_serde_number_to_string;
+use crate::filter::DataFilterRule;
+use crate::filter::FILTER_REGEX;
 use chrono::{DateTime, Local, TimeZone, Utc};
 use hashbrown::HashMap;
 use lazy_static::lazy_static;
@@ -128,6 +130,7 @@ impl Message {
    fn parse_message(&mut self, event_record: &Value, output: String) -> String {
        let mut return_message: String = output;
        let mut hash_map: HashMap<String, String> = HashMap::new();
+        let mut output_filter: Option<&DataFilterRule> = None;
        for caps in ALIASREGEX.captures_iter(&return_message) {
            let full_target_str = &caps[0];
            let target_length = full_target_str.chars().count() - 2; // The meaning of 2 is two percent
@@ -141,15 +144,20 @@ impl Message {
                let split: Vec<&str> = array_str.split(".").collect();
                let mut is_exist_event_key = false;
                let mut tmp_event_record: &Value = event_record.into();
-                for s in split {
+                for s in &split {
                    if let Some(record) = tmp_event_record.get(s) {
                        is_exist_event_key = true;
                        tmp_event_record = record;
+                        output_filter = FILTER_REGEX.get(&s.to_string());
                    }
                }
                if is_exist_event_key {
-                    let hash_value = get_serde_number_to_string(tmp_event_record);
+                    let mut hash_value = get_serde_number_to_string(tmp_event_record);
                    if hash_value.is_some() {
+                        if output_filter.is_some() {
+                            hash_value =
+                                utils::replace_target_character(hash_value.as_ref(), output_filter);
+                        }
                        hash_map.insert(full_target_str.to_string(), hash_value.unwrap());
                    }
                }