fixed detection lack when tab and enter control character in event record#395 (#396)

* fixed no detected bug when enter and tab control character in record data #395

* added remove \r \n \t character in utils.rs
* added call of utils.rs function in selectionnodes.rs

* added tests #395

* changed space control character function args #395

* fixed test due to function args changes #395

* changed replace method using regex #395

* changed regex by record_data_filter.txt #395

* added record_data_filter.txt #395

* fixed test #395

* added record_data_filter

- add Properties regex
- add ScriptBlockText regex
- add Payload regex

src/detections/rule/selectionnodes.rs

@@ -1,4 +1,5 @@
 use crate::detections::{detection::EvtxRecordInfo, utils};
+use crate::filter::FILTER_REGEX;
 use mopa::mopafy;
 use std::{sync::Arc, vec};
 use yaml_rust::Yaml;
@@ -314,6 +315,9 @@ impl SelectionNode for LeafSelectionNode {
                     ]
                 }
         */
+
+        let filter_rule = FILTER_REGEX.get(self.get_key());
+
         if self.get_key() == "EventData" {
             let values =
                 utils::get_event_value(&"Event.EventData.Data".to_string(), &event_record.record);
@@ -329,11 +333,15 @@ impl SelectionNode for LeafSelectionNode {
             let eventdata_data = values.unwrap();
             if eventdata_data.is_boolean() || eventdata_data.is_i64() || eventdata_data.is_string()
             {
+                let replaced_str = utils::replace_target_character(
+                    event_record.get_value(self.get_key()),
+                    filter_rule,
+                );
                 return self
                     .matcher
                     .as_ref()
                     .unwrap()
-                    .is_match(event_record.get_value(self.get_key()), event_record);
+                    .is_match(replaced_str.as_ref(), event_record);
             }
             // 配列の場合は配列の要素のどれか一つでもルールに合致すれば条件に一致したことにする。
             if eventdata_data.is_array() {
@@ -342,12 +350,15 @@ impl SelectionNode for LeafSelectionNode {
                     .unwrap()
                     .iter()
                     .any(|ary_element| {
-                        let aryelement_val = utils::value_to_string(ary_element);
+                        let replaced_str = utils::replace_target_character(
+                            utils::value_to_string(ary_element).as_ref(),
+                            filter_rule,
+                        );
                         return self
                             .matcher
                             .as_ref()
                             .unwrap()
-                            .is_match(aryelement_val.as_ref(), event_record);
+                            .is_match(replaced_str.as_ref(), event_record);
                     });
             } else {
                 return self
@@ -358,12 +369,14 @@ impl SelectionNode for LeafSelectionNode {
             }
         }
 
-        let event_value = self.get_event_value(&event_record);
+        let replaced_str =
+            utils::replace_target_character(self.get_event_value(&event_record), filter_rule);
+
         return self
             .matcher
             .as_ref()
             .unwrap()
-            .is_match(event_value, event_record);
+            .is_match(replaced_str.as_ref(), event_record);
     }
 
     fn init(&mut self) -> Result<(), Vec<String>> {