separate load kind rule count and rules status count #583
This commit is contained in:
DustInDark
@@ -127,11 +127,12 @@ impl Detection {
|
|||||||
.is_present("logon-summary")
|
.is_present("logon-summary")
|
||||||
{
|
{
|
||||||
let _ = &rulefile_loader
|
let _ = &rulefile_loader
|
||||||
.rule_load_status_cnt
|
.rule_load_cnt
|
||||||
.insert(String::from("rule parsing error"), parseerror_count);
|
.insert(String::from("rule parsing error"), parseerror_count);
|
||||||
Detection::print_rule_load_info(
|
Detection::print_rule_load_info(
|
||||||
&rulefile_loader.rulecounter,
|
&rulefile_loader.rulecounter,
|
||||||
&rulefile_loader.rule_load_status_cnt,
|
&rulefile_loader.rule_load_cnt,
|
||||||
|
&rulefile_loader.rule_status_cnt,
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
ret
|
ret
|
||||||
@@ -353,30 +354,46 @@ impl Detection {
|
|||||||
ret
|
ret
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn print_rule_load_info(rc: &HashMap<String, u128>, st_rc: &HashMap<String, u128>) {
|
pub fn print_rule_load_info(
|
||||||
|
rc: &HashMap<String, u128>,
|
||||||
|
ld_rc: &HashMap<String, u128>,
|
||||||
|
st_rc: &HashMap<String, u128>,
|
||||||
|
) {
|
||||||
if *STATISTICS_FLAG {
|
if *STATISTICS_FLAG {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect();
|
let mut sorted_ld_rc: Vec<(&String, &u128)> = ld_rc.iter().collect();
|
||||||
sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0));
|
sorted_ld_rc.sort_by(|a, b| a.0.cmp(b.0));
|
||||||
sorted_st_rc.into_iter().for_each(|(key, value)| {
|
sorted_ld_rc.into_iter().for_each(|(key, value)| {
|
||||||
//タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する
|
//タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する
|
||||||
println!(
|
println!(
|
||||||
"{} rules: {}",
|
"{} rules: {}",
|
||||||
make_ascii_titlecase(key.clone().as_mut()),
|
make_ascii_titlecase(key.clone().as_mut()),
|
||||||
value
|
value,
|
||||||
|
);
|
||||||
|
});
|
||||||
|
println!();
|
||||||
|
|
||||||
|
let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect();
|
||||||
|
let total_loaded_rule_cnt: u128 = sorted_st_rc.iter().map(|(_, v)| v.to_owned()).sum();
|
||||||
|
sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0));
|
||||||
|
sorted_st_rc.into_iter().for_each(|(key, value)| {
|
||||||
|
//タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する
|
||||||
|
println!(
|
||||||
|
"{} rules: {} ({:.2}%)",
|
||||||
|
make_ascii_titlecase(key.clone().as_mut()),
|
||||||
|
value,
|
||||||
|
value / total_loaded_rule_cnt
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
println!();
|
println!();
|
||||||
|
|
||||||
let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect();
|
let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect();
|
||||||
sorted_rc.sort_by(|a, b| a.0.cmp(b.0));
|
sorted_rc.sort_by(|a, b| a.0.cmp(b.0));
|
||||||
let mut enable_total = 0;
|
|
||||||
sorted_rc.into_iter().for_each(|(key, value)| {
|
sorted_rc.into_iter().for_each(|(key, value)| {
|
||||||
println!("{} rules: {}", key, value);
|
println!("{} rules: {}", key, value);
|
||||||
enable_total += value;
|
|
||||||
});
|
});
|
||||||
println!("Total enabled detection rules: {}", enable_total);
|
println!("Total enabled detection rules: {}", total_loaded_rule_cnt);
|
||||||
println!();
|
println!();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
18
src/yaml.rs
18
src/yaml.rs
@@ -18,7 +18,8 @@ use yaml_rust::YamlLoader;
|
|||||||
pub struct ParseYaml {
|
pub struct ParseYaml {
|
||||||
pub files: Vec<(String, yaml_rust::Yaml)>,
|
pub files: Vec<(String, yaml_rust::Yaml)>,
|
||||||
pub rulecounter: HashMap<String, u128>,
|
pub rulecounter: HashMap<String, u128>,
|
||||||
pub rule_load_status_cnt: HashMap<String, u128>,
|
pub rule_load_cnt: HashMap<String, u128>,
|
||||||
|
pub rule_status_cnt: HashMap<String, u128>,
|
||||||
pub errorrule_count: u128,
|
pub errorrule_count: u128,
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -33,11 +34,11 @@ impl ParseYaml {
|
|||||||
ParseYaml {
|
ParseYaml {
|
||||||
files: Vec::new(),
|
files: Vec::new(),
|
||||||
rulecounter: HashMap::new(),
|
rulecounter: HashMap::new(),
|
||||||
rule_load_status_cnt: HashMap::from([
|
rule_load_cnt: HashMap::from([
|
||||||
("excluded".to_string(), 0_u128),
|
("excluded".to_string(), 0_u128),
|
||||||
("noisy".to_string(), 0_u128),
|
("noisy".to_string(), 0_u128),
|
||||||
("deprecate".to_string(), 0_u128),
|
|
||||||
]),
|
]),
|
||||||
|
rule_status_cnt: HashMap::from([("deprecated".to_string(), 0_u128)]),
|
||||||
errorrule_count: 0,
|
errorrule_count: 0,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -231,10 +232,7 @@ impl ParseYaml {
|
|||||||
} else {
|
} else {
|
||||||
entry_key = "noisy";
|
entry_key = "noisy";
|
||||||
}
|
}
|
||||||
let entry = self
|
let entry = self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0);
|
||||||
.rule_load_status_cnt
|
|
||||||
.entry(entry_key.to_string())
|
|
||||||
.or_insert(0);
|
|
||||||
*entry += 1;
|
*entry += 1;
|
||||||
return Option::None;
|
return Option::None;
|
||||||
}
|
}
|
||||||
@@ -249,11 +247,11 @@ impl ParseYaml {
|
|||||||
);
|
);
|
||||||
|
|
||||||
let status_cnt = self
|
let status_cnt = self
|
||||||
.rule_load_status_cnt
|
.rule_status_cnt
|
||||||
.entry(
|
.entry(
|
||||||
yaml_doc["status"]
|
yaml_doc["status"]
|
||||||
.as_str()
|
.as_str()
|
||||||
.unwrap_or("Undefined")
|
.unwrap_or("undefined")
|
||||||
.to_string(),
|
.to_string(),
|
||||||
)
|
)
|
||||||
.or_insert(0);
|
.or_insert(0);
|
||||||
@@ -284,7 +282,7 @@ impl ParseYaml {
|
|||||||
let rule_status = &yaml_doc["status"].as_str().unwrap_or_default();
|
let rule_status = &yaml_doc["status"].as_str().unwrap_or_default();
|
||||||
if *rule_status == "deprecated" {
|
if *rule_status == "deprecated" {
|
||||||
let entry = self
|
let entry = self
|
||||||
.rule_load_status_cnt
|
.rule_status_cnt
|
||||||
.entry(rule_status.to_string())
|
.entry(rule_status.to_string())
|
||||||
.or_insert(0);
|
.or_insert(0);
|
||||||
*entry += 1;
|
*entry += 1;
|
||||||
|
|||||||
Reference in New Issue
Block a user