From 7f23656437bbcabd352709b0fd1af3b2b0ae1978 Mon Sep 17 00:00:00 2001
From: siamease <tomoomi@gmail.com>
Date: Sun, 25 Oct 2020 02:45:37 +0900
Subject: [PATCH] brushup / add test skelton

---
 src/detections/sysmon.rs | 49 +++++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 21 deletions(-)

diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs
index a523057f..aabc069c 100644
--- a/src/detections/sysmon.rs
+++ b/src/detections/sysmon.rs
@@ -3,12 +3,14 @@ use crate::models::event;
 use std::collections::HashMap;
 
 pub struct Sysmon {
+    empty_str: String,
     checkunsigned: u64,
 }
 
 impl Sysmon {
     pub fn new() -> Sysmon {
         Sysmon {
+            empty_str: String::default(),
             //checkunsigned: 0, //  DeepBlueでは0固定
             checkunsigned: 1, //  開発用に1 (configから設定可能になる予定)
         }
@@ -17,7 +19,7 @@ impl Sysmon {
     pub fn detection(
         &mut self,
         event_id: String,
-        system: &event::System,
+        _system: &event::System,
         event_data: HashMap<String, String>,
     ) {
         if event_id == "1" {
@@ -35,11 +37,8 @@ impl Sysmon {
             }
             println!("Log     : Sysmon");
             let minlength = 1000;
-            if let Some(_creater) = event_data.get("ParentImage") {
-                check_command(1, _command_line, minlength, 0, "", _creater);
-            } else {
-                check_command(1, _command_line, minlength, 0, "", "");
-            }
+            let _creater = event_data.get("ParentImage").unwrap_or(&self.empty_str);
+            check_command(1, _command_line, minlength, 0, "", _creater);
         }
     }
 
@@ -48,22 +47,30 @@ impl Sysmon {
         // This can be very chatty, so it's disabled.
         // Set $checkunsigned to 1 (global variable section) to enable:
         if self.checkunsigned == 1 {
-            if let Some(_signed) = event_data.get("Signed") {
-                if _signed == "false" {
-                    if let Some(_date) = event_data.get("UtcTime") {
-                        println!("Date    : {} (UTC)", _date);
-                    }
-                    println!("Log     : Sysmon");
-                    println!("EventID : 7");
-                    println!("Message : Unsigned Image (DLL)");
-                    if let Some(_image) = event_data.get("Image") {
-                        println!("Result  : Loaded by: {}", _image);
-                    }
-                    if let Some(_command_line) = event_data.get("ImageLoaded") {
-                        println!("Command : {}", _command_line);
-                    }
-                }
+            let _signed = event_data.get("Signed").unwrap_or(&self.empty_str);
+            if _signed == "false" {
+                let _date = event_data.get("UtcTime").unwrap_or(&self.empty_str);
+                println!("Date    : {} (UTC)", _date);
+                println!("Log     : Sysmon");
+                println!("EventID : 7");
+                println!("Message : Unsigned Image (DLL)");
+                let _image = event_data.get("Image").unwrap_or(&self.empty_str);
+                println!("Result  : Loaded by: {}", _image);
+                let _command_line = event_data.get("ImageLoaded").unwrap_or(&self.empty_str);
+                println!("Command : {}", _command_line);
             }
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    extern crate quick_xml;
+    use crate::detections::sysmon;
+    use crate::models::event;
+
+    #[test]
+    fn test_skelton_hit() {
+        assert_eq!(1,1);
+    }
+}