CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

change from hashmap to hashset and remove unnecessary copy.

Browse Source
This commit is contained in:
ichiichi11
2021-12-04 18:46:11 +09:00
parent 446e540d6f
commit c961c3768c
4 changed files with 28 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/detections/detection.rs
View File

@@ -55,7 +55,7 @@ impl Detection {
pub fn parse_rule_files( pub fn parse_rule_files(
level: String, level: String,
rulespath: Option<&str>, rulespath: Option<&str>,
fill_ids: RuleFill, fill_ids: &RuleFill,
) -> Vec<RuleNode> { ) -> Vec<RuleNode> {
// ルールファイルのパースを実行 // ルールファイルのパースを実行
let mut rulefile_loader = ParseYaml::new(); let mut rulefile_loader = ParseYaml::new();
@@ -274,8 +274,8 @@ fn test_parse_rule_files() {
let level = "informational"; let level = "informational";
let opt_rule_path = Some("./test_files/rules/level_yaml"); let opt_rule_path = Some("./test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: std::collections::HashSet::new(),
}; };
let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path, fill_ids); let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path, &fill_ids);
assert_eq!(5, cole.len()); assert_eq!(5, cole.len());
} }

6
src/fillter.rs
View File

@@ -1,6 +1,8 @@
use std::collections::HashMap; use std::collections::HashSet;
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct RuleFill { pub struct RuleFill {
pub no_use_rule: HashMap<String, bool>, pub no_use_rule: HashSet<String>,
} }

8
src/main.rs
View File

@@ -12,7 +12,7 @@ use hayabusa::{afterfact::after_fact, detections::utils};
use hayabusa::{detections::configs, timeline::timeline::Timeline}; use hayabusa::{detections::configs, timeline::timeline::Timeline};
use hhmmss::Hhmmss; use hhmmss::Hhmmss;
use serde_json::Value; use serde_json::Value;
use std::collections::HashMap; use std::collections::HashSet;
use std::{ use std::{
fs::{self, File}, fs::{self, File},
path::PathBuf, path::PathBuf,
@@ -135,16 +135,16 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
} }
let mut fill_ids = fillter::RuleFill { let mut fill_ids = fillter::RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
for v in ids.split_whitespace().next() { for v in ids.split_whitespace().next() {
fill_ids.no_use_rule.insert(v.to_string(), true); fill_ids.no_use_rule.insert(v.to_string());
} }
let rule_files = detection::Detection::parse_rule_files( let rule_files = detection::Detection::parse_rule_files(
level, level,
configs::CONFIG.read().unwrap().args.value_of("rules"), configs::CONFIG.read().unwrap().args.value_of("rules"),
fill_ids, &fill_ids,
); );
let mut detection = detection::Detection::new(rule_files); let mut detection = detection::Detection::new(rule_files);
for evtx_file in evtx_files { for evtx_file in evtx_files {

34
src/yaml.rs
View File

@@ -47,14 +47,14 @@ impl ParseYaml {
&mut self, &mut self,
path: P, path: P,
level: &str, level: &str,
fill_ids: RuleFill, fill_ids: &RuleFill,
) -> io::Result<String> { ) -> io::Result<String> {
let mut entries = fs::read_dir(path)?; let mut entries = fs::read_dir(path)?;
let yaml_docs = entries.try_fold(vec![], |mut ret, entry| { let yaml_docs = entries.try_fold(vec![], |mut ret, entry| {
let entry = entry?; let entry = entry?;
// フォルダは再帰的に呼び出す。 // フォルダは再帰的に呼び出す。
if entry.file_type()?.is_dir() { if entry.file_type()?.is_dir() {
self.read_dir(entry.path(), level, fill_ids.clone())?; self.read_dir(entry.path(), level, fill_ids)?;
return io::Result::Ok(ret); return io::Result::Ok(ret);
} }
// ファイル以外は無視 // ファイル以外は無視
@@ -162,7 +162,7 @@ mod tests {
use crate::yaml; use crate::yaml;
use crate::yaml::RuleFill; use crate::yaml::RuleFill;
use std::collections::HashMap; use std::collections::HashSet;
use std::path::Path; use std::path::Path;
use yaml_rust::YamlLoader; use yaml_rust::YamlLoader;
@@ -170,12 +170,12 @@ mod tests {
fn test_read_dir_yaml() { fn test_read_dir_yaml() {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
let _ = &yaml.read_dir( let _ = &yaml.read_dir(
"test_files/rules/yaml/".to_string(), "test_files/rules/yaml/".to_string(),
&"".to_owned(), &"".to_owned(),
fill_ids, &fill_ids,
); );
assert_ne!(yaml.files.len(), 0); assert_ne!(yaml.files.len(), 0);
} }
@@ -212,9 +212,9 @@ mod tests {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml"); let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
yaml.read_dir(path.to_path_buf(), &"", fill_ids).unwrap(); yaml.read_dir(path.to_path_buf(), &"", &fill_ids).unwrap();
assert_eq!(yaml.files.len(), 5); assert_eq!(yaml.files.len(), 5);
} }
@@ -223,9 +223,9 @@ mod tests {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml"); let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
yaml.read_dir(path.to_path_buf(), &"informational", fill_ids) yaml.read_dir(path.to_path_buf(), &"informational", &fill_ids)
.unwrap(); .unwrap();
assert_eq!(yaml.files.len(), 5); assert_eq!(yaml.files.len(), 5);
} }
@@ -234,9 +234,9 @@ mod tests {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml"); let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
yaml.read_dir(path.to_path_buf(), &"LOW", fill_ids).unwrap(); yaml.read_dir(path.to_path_buf(), &"LOW", &fill_ids).unwrap();
assert_eq!(yaml.files.len(), 4); assert_eq!(yaml.files.len(), 4);
} }
#[test] #[test]
@@ -244,9 +244,9 @@ mod tests {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml"); let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
yaml.read_dir(path.to_path_buf(), &"MEDIUM", fill_ids) yaml.read_dir(path.to_path_buf(), &"MEDIUM", &fill_ids)
.unwrap(); .unwrap();
assert_eq!(yaml.files.len(), 3); assert_eq!(yaml.files.len(), 3);
} }
@@ -255,9 +255,9 @@ mod tests {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml"); let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
yaml.read_dir(path.to_path_buf(), &"HIGH", fill_ids) yaml.read_dir(path.to_path_buf(), &"HIGH", &fill_ids)
.unwrap(); .unwrap();
assert_eq!(yaml.files.len(), 2); assert_eq!(yaml.files.len(), 2);
} }
@@ -266,9 +266,9 @@ mod tests {
let mut yaml = yaml::ParseYaml::new(); let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml"); let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill { let fill_ids = RuleFill {
no_use_rule: HashMap::from([("".to_string(), true)]), no_use_rule: HashSet::new(),
}; };
yaml.read_dir(path.to_path_buf(), &"CRITICAL", fill_ids) yaml.read_dir(path.to_path_buf(), &"CRITICAL", &fill_ids)
.unwrap(); .unwrap();
assert_eq!(yaml.files.len(), 1); assert_eq!(yaml.files.len(), 1);
} }