changed rule path to rule file name #623
This commit is contained in:
DastInDark
@@ -21,6 +21,7 @@ use std::fs::File;
|
|||||||
use std::io;
|
use std::io;
|
||||||
use std::io::BufWriter;
|
use std::io::BufWriter;
|
||||||
use std::io::Write;
|
use std::io::Write;
|
||||||
|
use std::path::Path;
|
||||||
use std::process;
|
use std::process;
|
||||||
use termcolor::{BufferWriter, Color, ColorChoice, ColorSpec, WriteColor};
|
use termcolor::{BufferWriter, Color, ColorChoice, ColorSpec, WriteColor};
|
||||||
use terminal_size::Width;
|
use terminal_size::Width;
|
||||||
@@ -40,7 +41,7 @@ pub struct CsvFormat<'a> {
|
|||||||
details: &'a str,
|
details: &'a str,
|
||||||
#[serde(skip_serializing_if = "Option::is_none")]
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
record_information: Option<&'a str>,
|
record_information: Option<&'a str>,
|
||||||
rule_path: &'a str,
|
rule_file: &'a str,
|
||||||
file_path: &'a str,
|
file_path: &'a str,
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -318,7 +319,7 @@ fn emit_csv<W: std::io::Write>(
|
|||||||
details: &detect_info.detail,
|
details: &detect_info.detail,
|
||||||
record_information: detect_info.record_information.as_deref(),
|
record_information: detect_info.record_information.as_deref(),
|
||||||
file_path: &detect_info.filepath,
|
file_path: &detect_info.filepath,
|
||||||
rule_path: &detect_info.rulepath,
|
rule_file: Path::new(&detect_info.rulepath).file_name().unwrap().to_str().unwrap(),
|
||||||
record_i_d: detect_info.record_id.as_deref(),
|
record_i_d: detect_info.record_id.as_deref(),
|
||||||
})?;
|
})?;
|
||||||
}
|
}
|
||||||
@@ -782,7 +783,7 @@ mod tests {
|
|||||||
.unwrap();
|
.unwrap();
|
||||||
let expect_tz = expect_time.with_timezone(&Local);
|
let expect_tz = expect_time.with_timezone(&Local);
|
||||||
let expect =
|
let expect =
|
||||||
"Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RulePath,FilePath\n"
|
"Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RuleFile,FilePath\n"
|
||||||
.to_string()
|
.to_string()
|
||||||
+ &expect_tz
|
+ &expect_tz
|
||||||
.clone()
|
.clone()
|
||||||
|
|||||||
@@ -256,10 +256,7 @@ impl Detection {
|
|||||||
};
|
};
|
||||||
let detect_info = DetectInfo {
|
let detect_info = DetectInfo {
|
||||||
filepath: record_info.evtx_filepath.to_string(),
|
filepath: record_info.evtx_filepath.to_string(),
|
||||||
rulepath: get_output_str_path(
|
rulepath: (&rule.rulepath).to_owned(),
|
||||||
&configs::CONFIG.read().unwrap().args.rules,
|
|
||||||
Path::new(&rule.rulepath),
|
|
||||||
),
|
|
||||||
level: rule.yaml["level"].as_str().unwrap_or("-").to_string(),
|
level: rule.yaml["level"].as_str().unwrap_or("-").to_string(),
|
||||||
computername: record_info.record["Event"]["System"]["Computer"]
|
computername: record_info.record["Event"]["System"]["Computer"]
|
||||||
.to_string()
|
.to_string()
|
||||||
@@ -302,19 +299,10 @@ impl Detection {
|
|||||||
} else {
|
} else {
|
||||||
None
|
None
|
||||||
};
|
};
|
||||||
// canonicalizeを行った際に、windows環境で\\?\が必ず文字列として入ってしまう問題があったため先頭の4文字を除外している
|
|
||||||
let abs_rule_path = &PathBuf::from(&rule.rulepath)
|
|
||||||
.canonicalize()
|
|
||||||
.unwrap()
|
|
||||||
.display()
|
|
||||||
.to_string()[4..];
|
|
||||||
|
|
||||||
let detect_info = DetectInfo {
|
let detect_info = DetectInfo {
|
||||||
filepath: "-".to_owned(),
|
filepath: "-".to_owned(),
|
||||||
rulepath: get_output_str_path(
|
rulepath: (&rule.rulepath).to_owned(),
|
||||||
&configs::CONFIG.read().unwrap().args.rules,
|
|
||||||
Path::new(abs_rule_path),
|
|
||||||
),
|
|
||||||
level: rule.yaml["level"].as_str().unwrap_or("").to_owned(),
|
level: rule.yaml["level"].as_str().unwrap_or("").to_owned(),
|
||||||
computername: "-".to_owned(),
|
computername: "-".to_owned(),
|
||||||
eventid: "-".to_owned(),
|
eventid: "-".to_owned(),
|
||||||
|
|||||||
Reference in New Issue
Block a user