changed optimized output when rule option value is relative path #623

2022-07-17 20:25:18 +09:00
parent 983ee98629
commit 67018ba8c8
1 changed files with 21 additions and 4 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -21,8 +21,10 @@ use crate::yaml::ParseYaml;
 use hashbrown;
 use hashbrown::HashMap;
 use serde_json::Value;
+use std::env;
 use std::fmt::Write;
-use std::path::Path;
+use std::path::{Path, PathBuf};
+use pathdiff::diff_paths;
 use std::sync::Arc;
 use tokio::{runtime::Runtime, spawn, task::JoinHandle};

@@ -253,10 +255,17 @@ impl Detection {
        } else {
            None
        };
-
+        let tmp_fmt_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..];
+        let abs_rule_path = Path::new(tmp_fmt_path);
+        let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() {
+            abs_rule_path.to_str().unwrap().to_string()
+        } else {
+            // ``個々の部分をregexとかで回してiterで落としたほうが速度向上につながると思われるため検討する
+            diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "")
+        };
        let detect_info = DetectInfo {
            filepath: record_info.evtx_filepath.to_string(),
-            rulepath: rule.rulepath.to_string(),
+            rulepath: fmted_rule_path_str,
            level: rule.yaml["level"].as_str().unwrap_or("-").to_string(),
            computername: record_info.record["Event"]["System"]["Computer"]
                .to_string()
@@ -299,9 +308,17 @@ impl Detection {
        } else {
            None
        };
+        // canonicalizeを行った際に、windows環境で\\?\が必ず文字列として入ってしまう問題があったため先頭の4文字を除外している
+        let tmp_fmt_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..];
+        let abs_rule_path = Path::new(tmp_fmt_path);
+        let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() {
+            abs_rule_path.to_str().unwrap().to_string()
+        } else {
+            diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "")
+        };
        let detect_info = DetectInfo {
            filepath: "-".to_owned(),
-            rulepath: rule.rulepath.to_owned(),
+            rulepath: fmted_rule_path_str,
            level: rule.yaml["level"].as_str().unwrap_or("").to_owned(),
            computername: "-".to_owned(),
            eventid: "-".to_owned(),