Hotfix/load rule level changed info to informational#237#238 (#240)

* changed INFO to informational #237

- INFO in rule level is changed  to informational

* changed level load default rule from LOW to INFORMATIONAL #238

* fixed level description in doc and help menu #238

* removed test files

* removed test check file

doc/AboutRuleCreation-English.md

@@ -27,7 +27,7 @@ updated_date: 2020/11/8
 * author [optional]: The name of the person or persons who created the logic for the rule.
 * detection  [required]: The detection logic goes here.
 * falsepositives [optional]: The possibilities for false positives. For example: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`. If it is unknown, write `unknown`.
-* level [optional]: Risk level. Please write one of the following: `info`,`low`,`medium`,`high`,`critical`
+* level [optional]: Risk level. Please write one of the following: `informational`,`low`,`medium`,`high`,`critical`
 * output [required]: The details of the alert. (Please output any and only useful fields in the Windows event log for easy analysis.)
 * creation_date [optional]: The creation date.
 * updated_date [optional]: The date of the last revision.

doc/AboutRuleCreation-Japanese.md

@@ -27,7 +27,7 @@ updated_date: 2020/11/8
 * author [optional]: ルールファイルの作者を入力します。
 * detection  [required]: 検知ルールを入力します。
 * falsepositives [optional]: 誤検知に関する情報を入力します。例：unknown、system administrator、normal user usage、normal system usage、legacy application、security team等々。
-* level [optional]: リスクレベルを入力します。指定する値は`info`,`low`,`medium`,`high`,`critical`のいづれかです。
+* level [optional]: リスクレベルを入力します。指定する値は`informational`,`low`,`medium`,`high`,`critical`のいづれかです。
 * output [required]: イベントログが検知した場合に表示されるメッセージを入力します。
 * creation_date [optional]: ルールファイルの作成日を入力します。
 * updated_date [optional]: ルールファイルの更新日を入力します。

src/detections/configs.rs

@@ -7,7 +7,7 @@ lazy_static! {
     pub static ref CONFIG: RwLock<ConfigReader> = RwLock::new(ConfigReader::new());
     pub static ref LEVELMAP: HashMap<String, u128> = {
         let mut levelmap = HashMap::new();
-        levelmap.insert("INFO".to_owned(), 1);
+        levelmap.insert("INFORMATIONAL".to_owned(), 1);
         levelmap.insert("LOW".to_owned(), 2);
         levelmap.insert("MEDIUM".to_owned(), 3);
         levelmap.insert("HIGH".to_owned(), 4);
@@ -54,7 +54,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
     --verbose 'Output verbose information to target event file path and rule file'
     -q 'Quiet mode. Do not display the launch banner'
     -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-    -L --level=[LEVEL] 'Minimum level for rules (default: low)'
+    -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)'
     -u --utc 'Output time in UTC format (default: local time)'
     -d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
     -s --statistics 'Prints statistics of event IDs'

src/detections/detection.rs

@@ -145,8 +145,15 @@ impl Detection {
 
     pub fn print_unique_results(&self) {
         let rules = &self.rules;
-        let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undefined"]);
-        // levels are [(Undeifned), (Info), (Low),(Medium),(High),(Critical)]
+        let levellabel = Vec::from([
+            "Critical",
+            "High",
+            "Medium",
+            "Low",
+            "Informational",
+            "Undeifned",
+        ]);
+        // levclcounts is [(Undeifned), (Informational), (Low),(Medium),(High),(Critical)]
         let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]);
         for rule in rules.into_iter() {
             if rule.check_exist_countdata() {
@@ -258,7 +265,7 @@ impl Detection {
 
 #[test]
 fn test_parse_rule_files() {
-    let level = "INFO";
+    let level = "informational";
     let opt_rule_path = Some("./test_files/rules/level_yaml");
     let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path);
     assert_eq!(5, cole.len());

src/main.rs

@@ -116,7 +116,7 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
         .unwrap()
         .args
         .value_of("level")
-        .unwrap_or("INFO")
+        .unwrap_or("informational")
         .to_uppercase();
     println!("Analyzing event files: {:?}", evtx_files.len());
     let rule_files = detection::Detection::parse_rule_files(

src/yaml.rs

@@ -121,11 +121,11 @@ impl ParseYaml {
                 // 指定されたレベルより低いルールは無視する
                 let doc_level = &yaml_doc["level"]
                     .as_str()
-                    .unwrap_or("LOW")
+                    .unwrap_or("informational")
                     .to_string()
                     .to_uppercase();
-                let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&2);
-                let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&2);
+                let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&1);
+                let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&1);
                 if doc_level_num < args_level_num {
                     return Option::None;
                 }
@@ -179,19 +179,19 @@ mod tests {
     }
 
     #[test]
-    /// no specifed "level" arguments value is adapted default level(LOW)
+    /// no specifed "level" arguments value is adapted default level(informational)
     fn test_default_level_read_yaml() {
         let mut yaml = yaml::ParseYaml::new();
         let path = Path::new("test_files/rules/level_yaml");
         yaml.read_dir(path.to_path_buf(), &"").unwrap();
-        assert_eq!(yaml.files.len(), 4);
+        assert_eq!(yaml.files.len(), 5);
     }
 
     #[test]
     fn test_info_level_read_yaml() {
         let mut yaml = yaml::ParseYaml::new();
         let path = Path::new("test_files/rules/level_yaml");
-        yaml.read_dir(path.to_path_buf(), &"INFO").unwrap();
+        yaml.read_dir(path.to_path_buf(), &"informational").unwrap();
         assert_eq!(yaml.files.len(), 5);
     }
     #[test]