diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 683d62dd..7d61a1d4 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,3 +1,4 @@ +extern crate csv; extern crate quick_xml; use crate::detections::application; @@ -11,7 +12,6 @@ use quick_xml::de::DeError; use std::collections::BTreeMap; use std::fs::File; use std::io::prelude::*; -extern crate csv; #[derive(Debug)] pub struct Detection { diff --git a/src/detections/powershell.rs b/src/detections/powershell.rs index 3cc54337..df9edf53 100644 --- a/src/detections/powershell.rs +++ b/src/detections/powershell.rs @@ -41,14 +41,13 @@ impl PowerShell { Regex::new("(?ms)^.*(ホスト アプリケーション|Host Application) = ").unwrap(); let rm_after = Regex::new("(?ms)\n.*$").unwrap(); - let temp = rm_before.replace_all(commandline, ""); - let command = rm_after.replace_all(&temp, ""); + let temp_command_with_extra = rm_before.replace_all(commandline, ""); + let command = rm_after.replace_all(&temp_command_with_extra, ""); if command != "" { utils::check_command(4103, &command, 1000, 0, &default, &default, rdr); } } - return; } fn execute_remote_command( @@ -61,11 +60,8 @@ impl PowerShell { let message_num = event_data.get("MessageNumber"); let commandline = event_data.get("ScriptBlockText").unwrap_or(&default); - match message_num { - Some(_) => utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr), - _ => {} + if let Some(_) = message_num { + utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr); } - - return; } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index c18378c8..ba9aaf39 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -228,7 +228,6 @@ mod tests { let mut rdr = csv::Reader::from_reader(contents.as_bytes()); utils::check_command(1, "dir", 100, 100, "dir", "dir", &mut rdr); - let mut rdr = csv::Reader::from_reader(contents.as_bytes()); //test return with whitelist. utils::check_command( 1,