fixed detection lack when tab and enter control character in event record#395 (#396)

* fixed no detected bug when enter and tab control character in record data #395

* added remove \r \n \t character in utils.rs
* added call of utils.rs function in selectionnodes.rs

* added tests #395

* changed space control character function args #395

* fixed test due to function args changes #395

* changed replace method using regex #395

* changed regex by record_data_filter.txt #395

* added record_data_filter.txt #395

* fixed test #395

* added record_data_filter

- add Properties regex
- add ScriptBlockText regex
- add Payload regex

src/detections/utils.rs

@@ -3,6 +3,7 @@ extern crate csv;
 extern crate regex;
 
 use crate::detections::configs;
+use crate::filter::DataFilterRule;
 
 use tokio::runtime::Builder;
 use tokio::runtime::Runtime;
@@ -39,6 +40,28 @@ pub fn check_regex(string: &str, regex_list: &Vec<Regex>) -> bool {
     return false;
 }
 
+/// replace string from all defined regex in input to replace_str
+pub fn replace_target_character<'a>(
+    input_str: Option<&'a String>,
+    replace_rule: Option<&'a DataFilterRule>,
+) -> Option<String> {
+    if input_str.is_none() {
+        return None;
+    }
+    if replace_rule.is_none() {
+        return Some(input_str.unwrap().to_string());
+    }
+
+    let replace_regex_rule = &replace_rule.unwrap().regex_rule;
+    let replace_str = &replace_rule.unwrap().replace_str;
+
+    return Some(
+        replace_regex_rule
+            .replace_all(input_str.unwrap(), replace_str)
+            .to_string(),
+    );
+}
+
 pub fn check_allowlist(target: &str, regexes: &Vec<Regex>) -> bool {
     for regex in regexes {
         if regex.is_match(target) {
@@ -238,6 +261,7 @@ pub fn create_rec_info(data: Value, path: String, keys: &Vec<String>) -> EvtxRec
 #[cfg(test)]
 mod tests {
     use crate::detections::utils;
+    use crate::filter::DataFilterRule;
     use regex::Regex;
     use serde_json::Value;
 
@@ -326,4 +350,31 @@ mod tests {
 
         assert!(utils::get_serde_number_to_string(&event_record["Event"]["EventData"]).is_none());
     }
+
+    #[test]
+    /// 指定された文字から指定されたregexぉ実行する関数が動作するかのテスト
+    fn test_remove_space_control() {
+        let test_filter_rule = DataFilterRule {
+            regex_rule: Regex::new(r"[\r\n\t]+").unwrap(),
+            replace_str: "".to_string(),
+        };
+        let none_test_str: Option<&String> = None;
+
+        assert_eq!(
+            utils::replace_target_character(none_test_str, None).is_none(),
+            true
+        );
+
+        assert_eq!(
+            utils::replace_target_character(none_test_str, Some(&test_filter_rule)).is_none(),
+            true
+        );
+
+        let tmp = "h\ra\ny\ta\tb\nu\r\nsa".to_string();
+        let test_str: Option<&String> = Some(&tmp);
+        assert_eq!(
+            utils::replace_target_character(test_str, Some(&test_filter_rule)).unwrap(),
+            "hayabusa"
+        );
+    }
 }