Feature/fix count() (#327)

2021-12-22 09:10:28 +09:00
parent 2e37e17300
commit ea685fb75a
5 changed files with 820 additions and 442 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -131,7 +131,11 @@ impl Detection {
        return self;
    }

-    pub fn add_aggcondition_msg(&self) {
+    pub fn add_aggcondition_msges(self, rt: &Runtime) {
+        return rt.block_on(self.add_aggcondition_msg());
+    }
+
+    async fn add_aggcondition_msg(&self) {
        for rule in &self.rules {
            if !rule.has_agg_condition() {
                continue;
--- a/src/detections/rule/aggregation_parser.rs
+++ b/src/detections/rule/aggregation_parser.rs
@@ -23,7 +23,7 @@ pub struct AggregationParseInfo {
    pub _field_name: Option<String>,    // countの括弧に囲まれた部分の文字
    pub _by_field_name: Option<String>, // count() by の後に指定される文字列
    pub _cmp_op: AggregationConditionToken, // (必須)<とか>とか何が指定されたのか
-    pub _cmp_num: i32,                  // (必須)<とか>とかの後にある数値
+    pub _cmp_num: i64,                  // (必須)<とか>とかの後にある数値
 }

 #[derive(Debug)]
@@ -202,7 +202,7 @@ impl AggegationConditionCompiler {

        let token = token_ite.next().unwrap_or(AggregationConditionToken::SPACE);
        let cmp_number = if let AggregationConditionToken::KEYWORD(number) = token {
-            let number: Result<i32, _> = number.parse();
+            let number: Result<i64, _> = number.parse();
            if number.is_err() {
                // 比較演算子の後に数値が無い。
                return Result::Err("The compare operator needs a number like '> 3'.".to_string());
@@ -460,7 +460,7 @@ mod tests {
        );
    }

-    fn check_aggregation_condition_ope(expr: String, cmp_num: i32) -> AggregationConditionToken {
+    fn check_aggregation_condition_ope(expr: String, cmp_num: i64) -> AggregationConditionToken {
        let compiler = AggegationConditionCompiler::new();
        let result = compiler.compile(expr);

--- a/src/detections/rule/count.rs
+++ b/src/detections/rule/count.rs
--- a/src/detections/rule/mod.rs
+++ b/src/detections/rule/mod.rs
@@ -303,7 +303,7 @@ impl DetectionNode {
 /// countなどのaggregationの結果を出力する構造体
 pub struct AggResult {
    /// countなどの値
-    pub data: i32,
+    pub data: i64,
    /// count byで指定された条件のレコード内での値
    pub key: String,
    /// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる
@@ -316,7 +316,7 @@ pub struct AggResult {

 impl AggResult {
    pub fn new(
-        data: i32,
+        data: i64,
        key: String,
        field_values: Vec<String>,
        start_timedate: DateTime<Utc>,
--- a/src/main.rs
+++ b/src/main.rs
@@ -170,6 +170,7 @@ impl App {
            detection = self.analysis_file(evtx_file, detection);
            pb.inc();
        }
+        detection.add_aggcondition_msges(&self.rt);
        after_fact();
    }

@@ -236,7 +237,6 @@ impl App {
            detection = detection.start(&self.rt, records_per_detect);
        }

-        detection.add_aggcondition_msg();
        tl.tm_stats_dsp_msg();

        return detection;