Hotfix/load rule level changed info to informational#237#238 (#240)

* changed INFO to informational #237 - INFO in rule level is changed to informational * changed level load default rule from LOW to INFORMATIONAL #238 * fixed level description in doc and help menu #238 * removed test files * removed test check file
2021-11-28 18:27:58 +09:00
parent 0cfa806baf
commit 84f17323da
6 changed files with 21 additions and 14 deletions
@@ -7,7 +7,7 @@ lazy_static! {
    pub static ref CONFIG: RwLock<ConfigReader> = RwLock::new(ConfigReader::new());
    pub static ref LEVELMAP: HashMap<String, u128> = {
        let mut levelmap = HashMap::new();
-        levelmap.insert("INFO".to_owned(), 1);
+        levelmap.insert("INFORMATIONAL".to_owned(), 1);
        levelmap.insert("LOW".to_owned(), 2);
        levelmap.insert("MEDIUM".to_owned(), 3);
        levelmap.insert("HIGH".to_owned(), 4);
@@ -54,7 +54,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
    --verbose 'Output verbose information to target event file path and rule file'
    -q 'Quiet mode. Do not display the launch banner'
    -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-    -L --level=[LEVEL] 'Minimum level for rules (default: low)'
+    -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)'
    -u --utc 'Output time in UTC format (default: local time)'
    -d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
    -s --statistics 'Prints statistics of event IDs'
@@ -145,8 +145,15 @@ impl Detection {

    pub fn print_unique_results(&self) {
        let rules = &self.rules;
-        let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undefined"]);
-        // levels are [(Undeifned), (Info), (Low),(Medium),(High),(Critical)]
+        let levellabel = Vec::from([
+            "Critical",
+            "High",
+            "Medium",
+            "Low",
+            "Informational",
+            "Undeifned",
+        ]);
+        // levclcounts is [(Undeifned), (Informational), (Low),(Medium),(High),(Critical)]
        let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]);
        for rule in rules.into_iter() {
            if rule.check_exist_countdata() {
@@ -258,7 +265,7 @@ impl Detection {

 #[test]
 fn test_parse_rule_files() {
-    let level = "INFO";
+    let level = "informational";
    let opt_rule_path = Some("./test_files/rules/level_yaml");
    let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path);
    assert_eq!(5, cole.len());
@@ -116,7 +116,7 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
        .unwrap()
        .args
        .value_of("level")
-        .unwrap_or("INFO")
+        .unwrap_or("informational")
        .to_uppercase();
    println!("Analyzing event files: {:?}", evtx_files.len());
    let rule_files = detection::Detection::parse_rule_files(
@@ -121,11 +121,11 @@ impl ParseYaml {
                // 指定されたレベルより低いルールは無視する
                let doc_level = &yaml_doc["level"]
                    .as_str()
-                    .unwrap_or("LOW")
+                    .unwrap_or("informational")
                    .to_string()
                    .to_uppercase();
-                let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&2);
-                let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&2);
+                let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&1);
+                let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&1);
                if doc_level_num < args_level_num {
                    return Option::None;
                }
@@ -179,19 +179,19 @@ mod tests {
    }

    #[test]
-    /// no specifed "level" arguments value is adapted default level(LOW)
+    /// no specifed "level" arguments value is adapted default level(informational)
    fn test_default_level_read_yaml() {
        let mut yaml = yaml::ParseYaml::new();
        let path = Path::new("test_files/rules/level_yaml");
        yaml.read_dir(path.to_path_buf(), &"").unwrap();
-        assert_eq!(yaml.files.len(), 4);
+        assert_eq!(yaml.files.len(), 5);
    }

    #[test]
    fn test_info_level_read_yaml() {
        let mut yaml = yaml::ParseYaml::new();
        let path = Path::new("test_files/rules/level_yaml");
-        yaml.read_dir(path.to_path_buf(), &"INFO").unwrap();
+        yaml.read_dir(path.to_path_buf(), &"informational").unwrap();
        assert_eq!(yaml.files.len(), 5);
    }
    #[test]