aliasキーがない場合もEvent.EventDataを自動で走査する (#442)

* add no event key

* support not-register-alias search

* added checking EventData when key do not match in alias #290

- added checking key in Event.EventData, if key is not exist in eventkey_alias.txt.

* cargo fmt

* fixed panic when filter files does not exists

* fixed errorlog format when filter config files does not exist

Co-authored-by: DustInDark <nextsasasa@gmail.com>

src/detections/print.rs

@@ -100,7 +100,13 @@ impl Message {
                 .take(target_length)
                 .collect::<String>();
 
-            if let Some(array_str) = configs::EVENTKEY_ALIAS.get_event_key(&target_str) {
+            let array_str;
+            if let Some(_array_str) = configs::EVENTKEY_ALIAS.get_event_key(&target_str) {
+                array_str = _array_str.to_string();
+            } else {
+                array_str = "Event.EventData.".to_owned() + &target_str;
+            }
+
             let split: Vec<&str> = array_str.split('.').collect();
             let mut is_exist_event_key = false;
             let mut tmp_event_record: &Value = event_record;
@@ -122,7 +128,6 @@ impl Message {
                 }
             }
         }
-        }
 
         for (k, v) in &hash_map {
             return_message = return_message.replace(k, v);
@@ -393,6 +398,27 @@ mod tests {
             expected,
         );
     }
+
+    #[test]
+    fn test_parse_message_auto_search() {
+        let mut message = Message::new();
+        let json_str = r##"
+        {
+            "Event": {
+                "EventData": {
+                    "NoAlias": "no_alias"
+                }
+            }
+        }
+    "##;
+        let event_record: Value = serde_json::from_str(json_str).unwrap();
+        let expected = "alias:no_alias";
+        assert_eq!(
+            message.parse_message(&event_record, "alias:%NoAlias%".to_owned()),
+            expected,
+        );
+    }
+
     #[test]
     /// outputで指定されているキーが、eventkey_alias.txt内で設定されていない場合の出力テスト
     fn test_parse_message_not_exist_key_in_output() {
@@ -412,9 +438,9 @@ mod tests {
         }
     "##;
         let event_record: Value = serde_json::from_str(json_str).unwrap();
-        let expected = "NoExistKey:%TESTNoExistKey%";
+        let expected = "NoExistAlias:%NoAliasNoHit%";
         assert_eq!(
-            message.parse_message(&event_record, "NoExistKey:%TESTNoExistKey%".to_owned()),
+            message.parse_message(&event_record, "NoExistAlias:%NoAliasNoHit%".to_owned()),
             expected,
         );
     }

src/detections/utils.rs

@@ -166,8 +166,8 @@ pub fn get_event_value<'a>(key: &str, event_value: &'a Value) -> Option<&'a Valu
     }
 
     let event_key = configs::EVENTKEY_ALIAS.get_event_key(key);
-    if let Some(event_key) = event_key {
     let mut ret: &Value = event_value;
+    if let Some(event_key) = event_key {
         // get_event_keyが取得できてget_event_key_splitが取得できないことはない
         let splits = configs::EVENTKEY_ALIAS.get_event_key_split(key);
         let mut start_idx = 0;
@@ -184,8 +184,12 @@ pub fn get_event_value<'a>(key: &str, event_value: &'a Value) -> Option<&'a Valu
 
         Option::Some(ret)
     } else {
-        let mut ret: &Value = event_value;
-        let event_key = key;
+        let event_key;
+        if !key.contains('.') {
+            event_key = "Event.EventData.".to_string() + key;
+        } else {
+            event_key = key.to_string();
+        }
         for key in event_key.split('.') {
             if !ret.is_object() {
                 return Option::None;

src/filter.rs

@@ -126,8 +126,9 @@ impl RuleExclude {
                 ERROR_LOG_STACK
                     .lock()
                     .unwrap()
-                    .push(format!("{} does not exist", filename));
+                    .push(format!("[WARN] {} does not exist", filename));
             }
+            return;
         }
         let reader = BufReader::new(f.unwrap());
         for v in reader.lines() {