From b2692ef9837f317931821f7e43242c0974d983fe Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Wed, 24 Nov 2021 00:09:41 +0900
Subject: [PATCH 1/9] Add: input function for start/end option

---
 src/detections/configs.rs |  2 ++
 src/main.rs               | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index d3a8db51..e90ad72a 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -52,6 +52,8 @@ fn build_app<'a>() -> ArgMatches<'a> {
     --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
     --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
     --verbose 'Output check information to target event file path and rule file.'
+    --start-time=[STARTTIME]
+    --end-time=[ENDTIME]
     -q 'Quiet Output Logo'
     -r --rules=[RULEDIRECTORY] 'using target of rule file directory'
     -L --level=[LEVEL] 'Specified execute rule level(default: LOW)'
diff --git a/src/main.rs b/src/main.rs
index 9db674d1..4e1a1beb 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -118,6 +118,44 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
         .value_of("level")
         .unwrap_or("INFO")
         .to_uppercase();
+
+    // TODO: config.rs に移す
+    // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
+    let start_time= if let Some(s_time) = configs::CONFIG
+        .read()
+        .unwrap()
+        .args
+        .value_of("start-time")
+    {
+        match s_time.parse::<DateTime<Utc>>() {
+            Ok(dt)=> Some(dt),
+            Err(err) => {
+                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
+                None
+            }
+        }
+    } else {
+        None
+    };
+
+    let end_time= if let Some(e_time) = configs::CONFIG
+        .read()
+        .unwrap()
+        .args
+        .value_of("end-time")
+    {
+        match s_time.parse::<DateTime<Utc>>() {
+            Ok(dt)=> Some(dt),
+            Err(err) => {
+                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
+                None
+            }
+        }
+    } else {
+        None
+    };
+
+    println!("TIME: {:?}", start_time);
     println!("Analyzing Event Files: {:?}", evtx_files.len());
     let rule_files = detection::Detection::parse_rule_files(
         level,

From e09cfb7231f84e7131880efd51c424013b7f2b90 Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Tue, 7 Dec 2021 00:11:34 +0900
Subject: [PATCH 2/9] Add: datetime util

---
 src/detections/print.rs | 19 ++-----------------
 src/detections/utils.rs | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/src/detections/print.rs b/src/detections/print.rs
index 51e65acb..22a15d8d 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -9,6 +9,7 @@ use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::io::{self, Write};
 use std::sync::Mutex;
+use crate::detections::utils;
 
 #[derive(Debug)]
 pub struct Message {
@@ -174,23 +175,7 @@ impl Message {
 
     pub fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> {
         let system_time = &event_record["Event"]["System"]["TimeCreated_attributes"]["SystemTime"];
-        let system_time_str = system_time.as_str().unwrap_or("");
-        if system_time_str.is_empty() {
-            return Option::None;
-        }
-
-        let rfc3339_time = DateTime::parse_from_rfc3339(system_time_str);
-        if rfc3339_time.is_err() {
-            return Option::None;
-        }
-        let datetime = Utc
-            .from_local_datetime(&rfc3339_time.unwrap().naive_utc())
-            .single();
-        if datetime.is_none() {
-            return Option::None;
-        } else {
-            return Option::Some(datetime.unwrap());
-        }
+        return utils::str_time_to_datetime(system_time.as_str().unwrap_or(""));
     }
 
     /// message内のマップをクリアする。テストする際の冪等性の担保のため作成。
diff --git a/src/detections/utils.rs b/src/detections/utils.rs
index 9df91ff7..bde46871 100644
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -14,6 +14,7 @@ use std::io::prelude::*;
 use std::io::{BufRead, BufReader};
 use std::str;
 use std::string::String;
+use chrono::{DateTime, TimeZone, Utc};
 
 pub fn concat_selection_key(key_list: &Vec<String>) -> String {
     return key_list
@@ -93,6 +94,29 @@ pub fn get_event_id_key() -> String {
     return "Event.System.EventID".to_string();
 }
 
+pub fn get_event_time() -> String {
+    return "Event.System.TimeCreated_attributes.SystemTime".to_string();
+}
+
+pub fn str_time_to_datetime(system_time_str: &str) -> Option<DateTime<Utc>> {
+    if system_time_str.is_empty() {
+        return Option::None;
+    }
+
+    let rfc3339_time = DateTime::parse_from_rfc3339(system_time_str);
+    if rfc3339_time.is_err() {
+        return Option::None;
+    }
+    let datetime = Utc
+        .from_local_datetime(&rfc3339_time.unwrap().naive_utc())
+        .single();
+    if datetime.is_none() {
+        return Option::None;
+    } else {
+        return Option::Some(datetime.unwrap());
+    }
+}
+
 /// serde:Valueの型を確認し、文字列を返します。
 pub fn get_serde_number_to_string(value: &serde_json::Value) -> Option<String> {
     if value.is_string() {

From 4bb445d4f58515a5bf9e6cce991107c624c3992c Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Tue, 7 Dec 2021 00:50:00 +0900
Subject: [PATCH 3/9] Add: time filter

---
 src/detections/configs.rs | 64 +++++++++++++++++++++++++++++++
 src/detections/print.rs   |  2 +-
 src/detections/utils.rs   |  2 +-
 src/main.rs               | 79 ++++++++++++++++++++++-----------------
 4 files changed, 110 insertions(+), 37 deletions(-)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index ef64bd99..4e79eb35 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -1,4 +1,6 @@
+use crate::detections::print::AlertMessage;
 use crate::detections::utils;
+use chrono::{DateTime, Utc};
 use clap::{App, AppSettings, ArgMatches};
 use lazy_static::lazy_static;
 use std::collections::{HashMap, HashSet};
@@ -118,6 +120,68 @@ fn load_target_ids(path: &str) -> TargetEventIds {
     return ret;
 }
 
+#[derive(Debug, Clone)]
+pub struct TargetEventTime {
+    start_time: Option<DateTime<Utc>>,
+    end_time: Option<DateTime<Utc>>,
+}
+
+impl TargetEventTime {
+    pub fn new() -> TargetEventTime {
+        let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") {
+            match s_time.parse::<DateTime<Utc>>() {
+                Ok(dt) => Some(dt),
+                Err(err) => {
+                    AlertMessage::alert(
+                        &mut std::io::stderr().lock(),
+                        format!("start-time field: {}", err),
+                    )
+                    .ok();
+                    None
+                }
+            }
+        } else {
+            None
+        };
+        let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") {
+            match e_time.parse::<DateTime<Utc>>() {
+                Ok(dt) => Some(dt),
+                Err(err) => {
+                    AlertMessage::alert(
+                        &mut std::io::stderr().lock(),
+                        format!("start-time field: {}", err),
+                    )
+                    .ok();
+                    None
+                }
+            }
+        } else {
+            None
+        };
+        return TargetEventTime {
+            start_time: start_time,
+            end_time: end_time,
+        };
+    }
+
+    pub fn is_target(&self, eventtime: &Option<DateTime<Utc>>) -> bool {
+        if eventtime.is_none() {
+            return true;
+        }
+        if let Some(starttime) = self.start_time {
+            if eventtime.unwrap() < starttime {
+                return false;
+            }
+        }
+        if let Some(endtime) = self.end_time {
+            if eventtime.unwrap() > endtime {
+                return false;
+            }
+        }
+        return true;
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct EventKeyAliasConfig {
     key_to_eventkey: HashMap<String, String>,
diff --git a/src/detections/print.rs b/src/detections/print.rs
index 22a15d8d..26e05046 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -1,5 +1,6 @@
 extern crate lazy_static;
 use crate::detections::configs;
+use crate::detections::utils;
 use crate::detections::utils::get_serde_number_to_string;
 use chrono::{DateTime, TimeZone, Utc};
 use lazy_static::lazy_static;
@@ -9,7 +10,6 @@ use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::io::{self, Write};
 use std::sync::Mutex;
-use crate::detections::utils;
 
 #[derive(Debug)]
 pub struct Message {
diff --git a/src/detections/utils.rs b/src/detections/utils.rs
index bde46871..5d0d52ff 100644
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -7,6 +7,7 @@ use crate::detections::configs;
 use tokio::runtime::Builder;
 use tokio::runtime::Runtime;
 
+use chrono::{DateTime, TimeZone, Utc};
 use regex::Regex;
 use serde_json::Value;
 use std::fs::File;
@@ -14,7 +15,6 @@ use std::io::prelude::*;
 use std::io::{BufRead, BufReader};
 use std::str;
 use std::string::String;
-use chrono::{DateTime, TimeZone, Utc};
 
 pub fn concat_selection_key(key_list: &Vec<String>) -> String {
     return key_list
diff --git a/src/main.rs b/src/main.rs
index f2cf0458..73efcd6b 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -121,43 +121,42 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
         .unwrap_or("informational")
         .to_uppercase();
 
-    // TODO: config.rs に移す
-    // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
-    let start_time = if let Some(s_time) = configs::CONFIG
-        .read()
-        .unwrap()
-        .args
-        .value_of("start-time")
-    {
-        match s_time.parse::<DateTime<Utc>>() {
-            Ok(dt)=> Some(dt),
-            Err(err) => {
-                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
-                None
-            }
-        }
-    } else {
-        None
-    };
+    // // TODO: config.rs に移す
+    // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
+    // let start_time =
+    //     if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") {
+    //         match s_time.parse::<DateTime<Utc>>() {
+    //             Ok(dt) => Some(dt),
+    //             Err(err) => {
+    //                 AlertMessage::alert(
+    //                     &mut std::io::stderr().lock(),
+    //                     format!("start-time field: {}", err),
+    //                 )
+    //                 .ok();
+    //                 None
+    //             }
+    //         }
+    //     } else {
+    //         None
+    //     };
 
-    let end_time= if let Some(e_time) = configs::CONFIG
-        .read()
-        .unwrap()
-        .args
-        .value_of("end-time")
-    {
-        match e_time.parse::<DateTime<Utc>>() {
-            Ok(dt)=> Some(dt),
-            Err(err) => {
-                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
-                None
-            }
-        }
-    } else {
-        None
-    };
+    // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") {
+    //     match e_time.parse::<DateTime<Utc>>() {
+    //         Ok(dt) => Some(dt),
+    //         Err(err) => {
+    //             AlertMessage::alert(
+    //                 &mut std::io::stderr().lock(),
+    //                 format!("start-time field: {}", err),
+    //             )
+    //             .ok();
+    //             None
+    //         }
+    //     }
+    // } else {
+    //     None
+    // };
 
-    println!("TIME: {:?}", start_time);
+    // println!("TIME: {:?}", start_time);
     println!("Analyzing Event Files: {:?}", evtx_files.len());
     let rule_files = detection::Detection::parse_rule_files(
         level,
@@ -192,6 +191,8 @@ fn analysis_file(
     let mut records = parser.records_json_value();
     let tokio_rt = utils::create_tokio_runtime();
 
+    let target_event_time = configs::TargetEventTime::new();
+
     loop {
         let mut records_per_detect = vec![];
         while records_per_detect.len() < MAX_DETECT_RECORDS {
@@ -228,6 +229,14 @@ fn analysis_file(
                 }
             }
 
+            let eventtime = utils::get_event_value(&utils::get_event_time(), &data);
+            if eventtime.is_some() {
+                let time = utils::str_time_to_datetime(eventtime.unwrap().as_str().unwrap_or(""));
+                if !target_event_time.is_target(&time) {
+                    continue;
+                }
+            }
+
             // EvtxRecordInfo構造体に変更
             let data_string = data.to_string();
             let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string);

From a1ec06cc6c511edf3ba065a00b670a07f0e6a091 Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Tue, 7 Dec 2021 00:52:57 +0900
Subject: [PATCH 4/9] rm: comments

---
 src/main.rs | 36 ------------------------------------
 1 file changed, 36 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 73efcd6b..d9da8b1d 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -121,42 +121,6 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
         .unwrap_or("informational")
         .to_uppercase();
 
-    // // TODO: config.rs に移す
-    // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
-    // let start_time =
-    //     if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") {
-    //         match s_time.parse::<DateTime<Utc>>() {
-    //             Ok(dt) => Some(dt),
-    //             Err(err) => {
-    //                 AlertMessage::alert(
-    //                     &mut std::io::stderr().lock(),
-    //                     format!("start-time field: {}", err),
-    //                 )
-    //                 .ok();
-    //                 None
-    //             }
-    //         }
-    //     } else {
-    //         None
-    //     };
-
-    // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") {
-    //     match e_time.parse::<DateTime<Utc>>() {
-    //         Ok(dt) => Some(dt),
-    //         Err(err) => {
-    //             AlertMessage::alert(
-    //                 &mut std::io::stderr().lock(),
-    //                 format!("start-time field: {}", err),
-    //             )
-    //             .ok();
-    //             None
-    //         }
-    //     }
-    // } else {
-    //     None
-    // };
-
-    // println!("TIME: {:?}", start_time);
     println!("Analyzing Event Files: {:?}", evtx_files.len());
     let rule_files = detection::Detection::parse_rule_files(
         level,

From 0e4136e9cf8be473ca9fd09704b07b2dab434e29 Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Tue, 7 Dec 2021 01:00:18 +0900
Subject: [PATCH 5/9] fix: option's documents

---
 src/detections/configs.rs | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index 4e79eb35..fd227bd5 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -56,8 +56,8 @@ fn build_app<'a>() -> ArgMatches<'a> {
     --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
     --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
     --verbose 'Output verbose information to target event file path and rule file'
-    --start-time=[STARTTIME]
-    --end-time=[ENDTIME]
+    --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file'
+    --endtimeline=[ENDTIMELINE]'End time of the event to load from event file'
     -q 'Quiet mode. Do not display the launch banner'
     -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
     -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)'
@@ -128,13 +128,14 @@ pub struct TargetEventTime {
 
 impl TargetEventTime {
     pub fn new() -> TargetEventTime {
-        let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") {
+        let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline")
+        {
             match s_time.parse::<DateTime<Utc>>() {
                 Ok(dt) => Some(dt),
                 Err(err) => {
                     AlertMessage::alert(
                         &mut std::io::stderr().lock(),
-                        format!("start-time field: {}", err),
+                        format!("starttimeline field: {}", err),
                     )
                     .ok();
                     None
@@ -143,13 +144,13 @@ impl TargetEventTime {
         } else {
             None
         };
-        let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") {
+        let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") {
             match e_time.parse::<DateTime<Utc>>() {
                 Ok(dt) => Some(dt),
                 Err(err) => {
                     AlertMessage::alert(
                         &mut std::io::stderr().lock(),
-                        format!("start-time field: {}", err),
+                        format!("endtimeline field: {}", err),
                     )
                     .ok();
                     None

From f8bd73898471640700f3b833f086ca37737e622c Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Tue, 7 Dec 2021 01:25:21 +0900
Subject: [PATCH 6/9] fix: input time format

---
 src/detections/configs.rs | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index fd227bd5..7dfc4b29 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -56,8 +56,8 @@ fn build_app<'a>() -> ArgMatches<'a> {
     --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
     --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
     --verbose 'Output verbose information to target event file path and rule file'
-    --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file'
-    --endtimeline=[ENDTIMELINE]'End time of the event to load from event file'
+    --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
+    --endtimeline=[ENDTIMELINE]'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
     -q 'Quiet mode. Do not display the launch banner'
     -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
     -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)'
@@ -130,8 +130,10 @@ impl TargetEventTime {
     pub fn new() -> TargetEventTime {
         let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline")
         {
-            match s_time.parse::<DateTime<Utc>>() {
-                Ok(dt) => Some(dt),
+            match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
+                .or_else(|_| DateTime::parse_from_str(s_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
+            {
+                Ok(dt) => Some(dt.with_timezone(&Utc)),
                 Err(err) => {
                     AlertMessage::alert(
                         &mut std::io::stderr().lock(),
@@ -145,9 +147,11 @@ impl TargetEventTime {
             None
         };
         let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") {
-            match e_time.parse::<DateTime<Utc>>() {
-                Ok(dt) => Some(dt),
-                Err(err) => {
+            match DateTime::parse_from_str(e_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
+            .or_else(|_| DateTime::parse_from_str(e_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
+        {
+            Ok(dt) => Some(dt.with_timezone(&Utc)),
+            Err(err) => {
                     AlertMessage::alert(
                         &mut std::io::stderr().lock(),
                         format!("endtimeline field: {}", err),

From 708305c95866d7eed68748cad18492b1fcd78e83 Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Sat, 11 Dec 2021 15:27:11 +0900
Subject: [PATCH 7/9] Add: TargetTimefilter testcase

---
 src/detections/configs.rs | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index 7dfc4b29..aab7bd2d 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -127,7 +127,7 @@ pub struct TargetEventTime {
 }
 
 impl TargetEventTime {
-    pub fn new() -> TargetEventTime {
+    pub fn new() -> Self {
         let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline")
         {
             match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
@@ -163,10 +163,14 @@ impl TargetEventTime {
         } else {
             None
         };
-        return TargetEventTime {
+        return Self::set(start_time, end_time)
+    }
+
+    pub fn set(start_time: Option<chrono::DateTime<chrono::Utc>>, end_time: Option<chrono::DateTime<chrono::Utc>>) -> Self {
+        return Self {
             start_time: start_time,
-            end_time: end_time,
-        };
+            end_time:   end_time
+        }
     }
 
     pub fn is_target(&self, eventtime: &Option<DateTime<Utc>>) -> bool {
@@ -306,6 +310,7 @@ fn load_eventcode_info(path: &str) -> EventInfoConfig {
 mod tests {
 
     use crate::detections::configs;
+    use chrono::{DateTime, Utc};
 
     #[test]
     #[ignore]
@@ -324,4 +329,29 @@ mod tests {
         );
         assert_eq!(message, display);
     }
+
+    #[test]
+    fn target_event_time_filter() {
+        let start_time  = Some("2018-02-20T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let end_time    = Some("2020-03-30T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let time_filter = configs::TargetEventTime::set(start_time, end_time);
+
+        let out_of_range1 = Some("1999-01-01T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let within_range  = Some("2019-02-27T01:05:01Z".parse::<DateTime<Utc>>().unwrap());
+        let out_of_range2 = Some("2021-02-27T01:05:01Z".parse::<DateTime<Utc>>().unwrap());
+
+        assert_eq!(time_filter.is_target(&out_of_range1), false);
+        assert_eq!(time_filter.is_target(&within_range), true);
+        assert_eq!(time_filter.is_target(&out_of_range2), false);
+    }
+
+    #[test]
+    fn target_event_time_filter_containes_on_time() {
+        let start_time  = Some("2018-02-20T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let end_time    = Some("2020-03-30T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let time_filter = configs::TargetEventTime::set(start_time, end_time);
+
+        assert_eq!(time_filter.is_target(&start_time), true);
+        assert_eq!(time_filter.is_target(&end_time), true);
+    }
 }

From 721bf993f7ecbe3d37adde6bf7687b23f003cca5 Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Sat, 11 Dec 2021 15:28:13 +0900
Subject: [PATCH 8/9] cargo fmt --all

---
 src/detections/configs.rs | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index aab7bd2d..da65ad8e 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -163,14 +163,17 @@ impl TargetEventTime {
         } else {
             None
         };
-        return Self::set(start_time, end_time)
+        return Self::set(start_time, end_time);
     }
 
-    pub fn set(start_time: Option<chrono::DateTime<chrono::Utc>>, end_time: Option<chrono::DateTime<chrono::Utc>>) -> Self {
+    pub fn set(
+        start_time: Option<chrono::DateTime<chrono::Utc>>,
+        end_time: Option<chrono::DateTime<chrono::Utc>>,
+    ) -> Self {
         return Self {
             start_time: start_time,
-            end_time:   end_time
-        }
+            end_time: end_time,
+        };
     }
 
     pub fn is_target(&self, eventtime: &Option<DateTime<Utc>>) -> bool {
@@ -332,12 +335,12 @@ mod tests {
 
     #[test]
     fn target_event_time_filter() {
-        let start_time  = Some("2018-02-20T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
-        let end_time    = Some("2020-03-30T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let start_time = Some("2018-02-20T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let end_time = Some("2020-03-30T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
         let time_filter = configs::TargetEventTime::set(start_time, end_time);
 
         let out_of_range1 = Some("1999-01-01T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
-        let within_range  = Some("2019-02-27T01:05:01Z".parse::<DateTime<Utc>>().unwrap());
+        let within_range = Some("2019-02-27T01:05:01Z".parse::<DateTime<Utc>>().unwrap());
         let out_of_range2 = Some("2021-02-27T01:05:01Z".parse::<DateTime<Utc>>().unwrap());
 
         assert_eq!(time_filter.is_target(&out_of_range1), false);
@@ -347,8 +350,8 @@ mod tests {
 
     #[test]
     fn target_event_time_filter_containes_on_time() {
-        let start_time  = Some("2018-02-20T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
-        let end_time    = Some("2020-03-30T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let start_time = Some("2018-02-20T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
+        let end_time = Some("2020-03-30T12:00:09Z".parse::<DateTime<Utc>>().unwrap());
         let time_filter = configs::TargetEventTime::set(start_time, end_time);
 
         assert_eq!(time_filter.is_target(&start_time), true);

From d1d77b4e9f52f3d2398997a493ab66c839d6dd17 Mon Sep 17 00:00:00 2001
From: itiB <is0312vx@ed.ritsumei.ac.jp>
Date: Thu, 16 Dec 2021 20:14:31 +0900
Subject: [PATCH 9/9] cargo fmt --all

---
 src/detections/configs.rs | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index ceabc05a..c2fa589f 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -316,23 +316,23 @@ mod tests {
     use crate::detections::configs;
     use chrono::{DateTime, Utc};
 
-//     #[test]
-//     #[ignore]
-//     fn singleton_read_and_write() {
-//         let message =
-//             "EventKeyAliasConfig { key_to_eventkey: {\"EventID\": \"Event.System.EventID\"} }";
-//         configs::EVENT_KEY_ALIAS_CONFIG =
-//             configs::load_eventkey_alias("test_files/config/eventkey_alias.txt");
-//         let display = format!(
-//             "{}",
-//             format_args!(
-//                 "{:?}",
-//                 configs::CONFIG.write().unwrap().event_key_alias_config
-//             )
-//         );
-//         assert_eq!(message, display);
-//     }
-// }
+    //     #[test]
+    //     #[ignore]
+    //     fn singleton_read_and_write() {
+    //         let message =
+    //             "EventKeyAliasConfig { key_to_eventkey: {\"EventID\": \"Event.System.EventID\"} }";
+    //         configs::EVENT_KEY_ALIAS_CONFIG =
+    //             configs::load_eventkey_alias("test_files/config/eventkey_alias.txt");
+    //         let display = format!(
+    //             "{}",
+    //             format_args!(
+    //                 "{:?}",
+    //                 configs::CONFIG.write().unwrap().event_key_alias_config
+    //             )
+    //         );
+    //         assert_eq!(message, display);
+    //     }
+    // }
 
     #[test]
     fn target_event_time_filter() {
@@ -358,4 +358,4 @@ mod tests {
         assert_eq!(time_filter.is_target(&start_time), true);
         assert_eq!(time_filter.is_target(&end_time), true);
     }
-}
\ No newline at end of file
+}