fixed detection lack when tab and enter control character in event record#395 (#396)

* fixed no detected bug when enter and tab control character in record data #395 * added remove \r \n \t character in utils.rs * added call of utils.rs function in selectionnodes.rs * added tests #395 * changed space control character function args #395 * fixed test due to function args changes #395 * changed replace method using regex #395 * changed regex by record_data_filter.txt #395 * added record_data_filter.txt #395 * fixed test #395 * added record_data_filter - add Properties regex - add ScriptBlockText regex - add Payload regex
2022-02-17 05:07:15 +09:00
parent 0a559da580
commit 58017e971f
5 changed files with 162 additions and 7 deletions
@@ -2,6 +2,8 @@ use crate::detections::configs;
 use crate::detections::print::AlertMessage;
 use crate::detections::print::ERROR_LOG_STACK;
 use crate::detections::print::QUIET_ERRORS_FLAG;
+use crate::detections::utils;
+use hashbrown::HashMap;
 use hashbrown::HashSet;
 use lazy_static::lazy_static;
 use regex::Regex;
@@ -12,6 +14,78 @@ use std::io::{BufRead, BufReader};
 lazy_static! {
    static ref IDS_REGEX: Regex =
        Regex::new(r"^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$").unwrap();
+    pub static ref FILTER_REGEX: HashMap<String, DataFilterRule> = load_record_filters();
+}
+
+#[derive(Debug)]
+pub struct DataFilterRule {
+    pub regex_rule: Regex,
+    pub replace_str: String,
+}
+
+fn load_record_filters() -> HashMap<String, DataFilterRule> {
+    let file_path = "config/regex/record_data_filter.txt";
+    let read_result = utils::read_csv(file_path);
+    let mut ret = HashMap::new();
+    if read_result.is_err() {
+        if configs::CONFIG.read().unwrap().args.is_present("verbose") {
+            AlertMessage::warn(
+                &mut BufWriter::new(std::io::stderr().lock()),
+                &format!("{} does not exist", file_path),
+            )
+            .ok();
+        }
+        if !*QUIET_ERRORS_FLAG {
+            ERROR_LOG_STACK
+                .lock()
+                .unwrap()
+                .push(format!("{} does not exist", file_path));
+        }
+        return HashMap::default();
+    }
+    read_result.unwrap().into_iter().for_each(|line| {
+        if line.len() != 3 {
+            return;
+        }
+
+        let empty = &"".to_string();
+        let key = line.get(0).unwrap_or(empty).trim();
+        let regex_str = line.get(1).unwrap_or(empty).trim();
+        let replaced_str = line.get(2).unwrap_or(empty).trim();
+        if key.len() == 0 || regex_str.len() == 0 {
+            return;
+        }
+
+        let regex_rule: Option<Regex> = match Regex::new(regex_str) {
+            Ok(regex) => Some(regex),
+            Err(_err) => {
+                let errmsg = format!("failed to read regex filter in record_data_filter.txt");
+                if configs::CONFIG.read().unwrap().args.is_present("verbose") {
+                    AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg)
+                        .ok();
+                }
+                if !*QUIET_ERRORS_FLAG {
+                    ERROR_LOG_STACK
+                        .lock()
+                        .unwrap()
+                        .push(format!("[ERROR] {}", errmsg));
+                }
+                None
+            }
+        };
+
+        if regex_rule.is_none() {
+            return;
+        }
+        ret.insert(
+            key.to_string(),
+            DataFilterRule {
+                regex_rule: regex_rule.unwrap(),
+                replace_str: replaced_str.to_string(),
+            },
+        );
+    });
+    return ret;
 }

 #[derive(Clone, Debug)]