CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #316 from Yamato-Security/feature/output_error_log_file_and_options#301

Browse Source 
fixed #301 #303 #309
This commit is contained in:
Yamato Security
2021-12-22 16:08:13 +09:00
committed by GitHub
parent 72b6bceb36 3412434d99
commit 67f0ee007b
8 changed files with 239 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/detections/rule/count.rs
+53 -34
View File
@@ -1,10 +1,14 @@
use crate::detections::configs;
use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_STACK;
use crate::detections::print::QUIET_ERRORS_FLAG;
use crate::detections::rule::AggResult;
use crate::detections::rule::Message;
use crate::detections::rule::RuleNode;
use chrono::{DateTime, TimeZone, Utc};
use hashbrown::HashMap;
use serde_json::Value;
use std::io::BufWriter;
use std::num::ParseIntError;
use std::path::Path;
@@ -65,30 +69,35 @@ fn get_alias_value_in_record(
return Some(value.to_string().replace("\"", ""));
}
None => {
AlertMessage::alert(
&mut std::io::stderr().lock(),
match is_by_alias {
true => format!(
"count by clause alias value not found in count process. rule file:{} EventID:{}",
Path::new(&rule.rulepath)
.file_name()
.unwrap()
.to_str()
.unwrap(),
utils::get_event_value(&utils::get_event_id_key(), record).unwrap()
),
false => format!(
"count field clause alias value not found in count process. rule file:{} EventID:{}",
Path::new(&rule.rulepath)
.file_name()
.unwrap()
.to_str()
.unwrap(),
utils::get_event_value(&utils::get_event_id_key(), record).unwrap()
),
},
)
.ok();
let errmsg = match is_by_alias {
true => format!(
"count by clause alias value not found in count process. rule file:{} EventID:{}",
Path::new(&rule.rulepath)
.file_name()
.unwrap()
.to_str()
.unwrap(),
utils::get_event_value(&utils::get_event_id_key(), record).unwrap()
),
false => format!(
"count field clause alias value not found in count process. rule file:{} EventID:{}",
Path::new(&rule.rulepath)
.file_name()
.unwrap()
.to_str()
.unwrap(),
utils::get_event_value(&utils::get_event_id_key(), record).unwrap()
),
};
if configs::CONFIG.read().unwrap().args.is_present("verbose") {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
}
if !*QUIET_ERRORS_FLAG {
ERROR_LOG_STACK
.lock()
.unwrap()
.push(format!("[ERROR] {}", errmsg));
}
return None;
}
};
@@ -181,11 +190,16 @@ impl TimeFrameInfo {
ttype = "d".to_owned();
tnum.retain(|c| c != 'd');
} else {
AlertMessage::alert(
&mut std::io::stderr().lock(),
format!("Timeframe is invalid. Input value:{}", value),
)
.ok();
let errmsg = format!("Timeframe is invalid. Input value:{}", value);
if configs::CONFIG.read().unwrap().args.is_present("verbose") {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
}
if !*QUIET_ERRORS_FLAG {
ERROR_LOG_STACK
.lock()
.unwrap()
.push(format!("[ERROR] {}", errmsg));
}
}
return TimeFrameInfo {
timetype: ttype,
@@ -214,11 +228,16 @@ pub fn get_sec_timeframe(rule: &RuleNode) -> Option<i64> {
}
}
Err(err) => {
AlertMessage::alert(
&mut std::io::stderr().lock(),
format!("Timeframe number is invalid. timeframe.{}", err),
)
.ok();
let errmsg = format!("Timeframe number is invalid. timeframe. {}", err);
if configs::CONFIG.read().unwrap().args.is_present("verbose") {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
}
if !*QUIET_ERRORS_FLAG {
ERROR_LOG_STACK
.lock()
.unwrap()
.push(format!("[ERROR] {}", errmsg.to_string()));
}
return Option::None;
}
}