diff --git a/src/detections/detection.rs b/src/detections/detection.rs index b6e3afd0..d615c4ea 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -55,7 +55,7 @@ impl Detection { pub fn parse_rule_files( level: String, rulespath: Option<&str>, - fill_ids: RuleFill, + fill_ids: &RuleFill, ) -> Vec { // ルールファイルのパースを実行 let mut rulefile_loader = ParseYaml::new(); @@ -274,8 +274,8 @@ fn test_parse_rule_files() { let level = "informational"; let opt_rule_path = Some("./test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: std::collections::HashSet::new(), }; - let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path, fill_ids); + let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path, &fill_ids); assert_eq!(5, cole.len()); } diff --git a/src/fillter.rs b/src/fillter.rs index 0cd68b2a..058bd0fc 100644 --- a/src/fillter.rs +++ b/src/fillter.rs @@ -1,6 +1,8 @@ -use std::collections::HashMap; +use std::collections::HashSet; + + #[derive(Clone, Debug)] pub struct RuleFill { - pub no_use_rule: HashMap, + pub no_use_rule: HashSet, } diff --git a/src/main.rs b/src/main.rs index 8ad991af..6c257089 100644 --- a/src/main.rs +++ b/src/main.rs @@ -12,7 +12,7 @@ use hayabusa::{afterfact::after_fact, detections::utils}; use hayabusa::{detections::configs, timeline::timeline::Timeline}; use hhmmss::Hhmmss; use serde_json::Value; -use std::collections::HashMap; +use std::collections::HashSet; use std::{ fs::{self, File}, path::PathBuf, @@ -135,16 +135,16 @@ fn analysis_files(evtx_files: Vec) { } let mut fill_ids = fillter::RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; for v in ids.split_whitespace().next() { - fill_ids.no_use_rule.insert(v.to_string(), true); + fill_ids.no_use_rule.insert(v.to_string()); } let rule_files = detection::Detection::parse_rule_files( level, configs::CONFIG.read().unwrap().args.value_of("rules"), - fill_ids, + &fill_ids, ); let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { diff --git a/src/yaml.rs b/src/yaml.rs index c32d6950..98fccf0a 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -47,14 +47,14 @@ impl ParseYaml { &mut self, path: P, level: &str, - fill_ids: RuleFill, + fill_ids: &RuleFill, ) -> io::Result { let mut entries = fs::read_dir(path)?; let yaml_docs = entries.try_fold(vec![], |mut ret, entry| { let entry = entry?; // フォルダは再帰的に呼び出す。 if entry.file_type()?.is_dir() { - self.read_dir(entry.path(), level, fill_ids.clone())?; + self.read_dir(entry.path(), level, fill_ids)?; return io::Result::Ok(ret); } // ファイル以外は無視 @@ -162,7 +162,7 @@ mod tests { use crate::yaml; use crate::yaml::RuleFill; - use std::collections::HashMap; + use std::collections::HashSet; use std::path::Path; use yaml_rust::YamlLoader; @@ -170,12 +170,12 @@ mod tests { fn test_read_dir_yaml() { let mut yaml = yaml::ParseYaml::new(); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; let _ = &yaml.read_dir( "test_files/rules/yaml/".to_string(), &"".to_owned(), - fill_ids, + &fill_ids, ); assert_ne!(yaml.files.len(), 0); } @@ -212,9 +212,9 @@ mod tests { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; - yaml.read_dir(path.to_path_buf(), &"", fill_ids).unwrap(); + yaml.read_dir(path.to_path_buf(), &"", &fill_ids).unwrap(); assert_eq!(yaml.files.len(), 5); } @@ -223,9 +223,9 @@ mod tests { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; - yaml.read_dir(path.to_path_buf(), &"informational", fill_ids) + yaml.read_dir(path.to_path_buf(), &"informational", &fill_ids) .unwrap(); assert_eq!(yaml.files.len(), 5); } @@ -234,9 +234,9 @@ mod tests { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; - yaml.read_dir(path.to_path_buf(), &"LOW", fill_ids).unwrap(); + yaml.read_dir(path.to_path_buf(), &"LOW", &fill_ids).unwrap(); assert_eq!(yaml.files.len(), 4); } #[test] @@ -244,9 +244,9 @@ mod tests { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; - yaml.read_dir(path.to_path_buf(), &"MEDIUM", fill_ids) + yaml.read_dir(path.to_path_buf(), &"MEDIUM", &fill_ids) .unwrap(); assert_eq!(yaml.files.len(), 3); } @@ -255,9 +255,9 @@ mod tests { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; - yaml.read_dir(path.to_path_buf(), &"HIGH", fill_ids) + yaml.read_dir(path.to_path_buf(), &"HIGH", &fill_ids) .unwrap(); assert_eq!(yaml.files.len(), 2); } @@ -266,9 +266,9 @@ mod tests { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); let fill_ids = RuleFill { - no_use_rule: HashMap::from([("".to_string(), true)]), + no_use_rule: HashSet::new(), }; - yaml.read_dir(path.to_path_buf(), &"CRITICAL", fill_ids) + yaml.read_dir(path.to_path_buf(), &"CRITICAL", &fill_ids) .unwrap(); assert_eq!(yaml.files.len(), 1); }