From fd653f24fc3abb54a9672241c6dc44b6b04805ed Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 21 Aug 2022 02:28:38 +0900 Subject: [PATCH] added count by rule titles variable --- src/afterfact.rs | 18 ++++++++++++++++++ src/detections/detection.rs | 2 ++ src/detections/message.rs | 2 ++ 3 files changed, 22 insertions(+) diff --git a/src/afterfact.rs b/src/afterfact.rs index a1a6094c..e31601ea 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -184,12 +184,15 @@ fn emit_csv( HashMap::new(); let mut detect_counts_by_computer_and_level: HashMap> = HashMap::new(); + let mut detect_counts_by_rule_and_level: HashMap> = + HashMap::new(); let levels = Vec::from(["crit", "high", "med ", "low ", "info", "undefined"]); // レベル別、日ごとの集計用変数の初期化 for level_init in levels { detect_counts_by_date_and_level.insert(level_init.to_string(), HashMap::new()); detect_counts_by_computer_and_level.insert(level_init.to_string(), HashMap::new()); + detect_counts_by_rule_and_level.insert(level_init.to_string(), HashMap::new()); } if displayflag { println!(); @@ -277,6 +280,20 @@ fn emit_csv( .insert(detect_info.level.to_lowercase(), detect_counts_by_computer); } + let mut detect_counts_by_rules = detect_counts_by_rule_and_level + .get(&detect_info.level.to_lowercase()) + .unwrap_or_else(|| { + detect_counts_by_computer_and_level + .get("undefined") + .unwrap() + }) + .clone(); + *detect_counts_by_rules + .entry(Clone::clone(&detect_info.ruletitle)) + .or_insert(0) += 1; + detect_counts_by_rule_and_level + .insert(detect_info.level.to_lowercase(), detect_counts_by_rules); + total_detect_counts_by_level[level_suffix] += 1; detect_counts_by_date_and_level .insert(detect_info.level.to_lowercase(), detect_counts_by_date); @@ -663,6 +680,7 @@ mod tests { output.to_string(), DetectInfo { rulepath: test_rulepath.to_string(), + ruletitle: test_title.to_string(), level: test_level.to_string(), computername: test_computername.to_string(), eventid: test_eventid.to_string(), diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 258ab4b4..ae3c2e3c 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -362,6 +362,7 @@ impl Detection { let detect_info = DetectInfo { rulepath: (&rule.rulepath).to_owned(), + ruletitle: rule.yaml["title"].as_str().unwrap_or("-").to_string(), level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() @@ -492,6 +493,7 @@ impl Detection { let detect_info = DetectInfo { rulepath: (&rule.rulepath).to_owned(), + ruletitle: rule.yaml["title"].as_str().unwrap_or("-").to_string(), level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(), computername: "-".to_owned(), eventid: "-".to_owned(), diff --git a/src/detections/message.rs b/src/detections/message.rs index 55b33fe2..9aff48c5 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -24,6 +24,7 @@ use termcolor::{BufferWriter, ColorChoice}; #[derive(Debug, Clone)] pub struct DetectInfo { pub rulepath: String, + pub ruletitle: String, pub level: String, pub computername: String, pub eventid: String, @@ -634,6 +635,7 @@ mod tests { for i in 1..2001 { let detect_info = DetectInfo { rulepath: "".to_string(), + ruletitle: "".to_string(), level: "".to_string(), computername: "".to_string(), eventid: i.to_string(),