* fixed no detected bug when enter and tab control character in record data #395
* added remove \r \n \t character in utils.rs
* added call of utils.rs function in selectionnodes.rs
* added tests #395
* changed space control character function args #395
* fixed test due to function args changes #395
* changed replace method using regex #395
* changed regex by record_data_filter.txt #395
* added record_data_filter.txt #395
* fixed test #395
* added record_data_filter
- add Properties regex
- add ScriptBlockText regex
- add Payload regex
* added color carete #239
* added hex library
* added color config file parser #239
* added color output feature #239
* changed fast hashmap library
* added color output description(Japanese) #239
* added color output description(English) #239
* fixed medium level typo
* removed white color font level #239
* added trim and loose colorcode condition #239
* fixed hex convert error panic #239
- output warn and go next iterator when happen hex convert panic
- added user input in hex convert warn output to use easily
* update rule config files and art
* regexサンプルファイルの名前変更
* fixed test error due to filename change #291
Co-authored-by: DustInDark <nextsasasa@gmail.com>
* removed no use alias #227
* changed case of object type return none #227
- serde json value is object type when alias key dont exist in detected record.
* adjust serde_number_to_string function return value change #227
* adjust yml rule to change of aliaskey_alias.txt #227
* merged same regex as static
* create new struct to reduce same output in rule and keyword warn message #227
* changed output position
* removed regression warnings #227
* removed output wanring
* Fixed a possible panic when None. #227
* added parse_message test #227
* added get_serde_number_to_string tests #227
* removed unnecessary test data part in get_serde_numuber_to_string test #227
* Feature/call error message struct#66 (#69)
* change way to use write trait #66
* change call error message struct #66
* erase finished TODO #66
* erase comment in error message format test #66
* resolve conflict #66
* Feature/call error message struct#66 (#71)
* change ERROR writeln struct #66
* under constructing
* add statistics template
* fix
* add comment
* add condition impl #93
* fix erased get_descendants and remove unnecessaly struct #93
* erased finished TODO comment
* erased finished TODO comment
* Revert "fix erased get_descendants and remove unnecessaly struct #93"
This reverts commit 82e905e045.
Revert "add condition impl #93"
This reverts commit 19ecc87377.
* add doc comment to rule function
* fix and add test doc commet
* add doc to AggregaationParseInfo
* add struct count in aggregation condition. #93
* add evaluate aggregation condition func provisional architecture. #93
* add countup function #93
* fix key to count hashmap #93
* add judge aggregation condition function #93
* fix error #93
* fix test #93
* share compile error ver
* fix detection.rs compile error
* fix timeframe parse
* add countup process in select
* fix select argument
* add test countup
* add test count judge #93
* add SIGMA windows count field and by keyword #93
* fix reference record in countup/judgecount #93
* add timedata in countup schema #93
* Refact: split code for matcher from rule.rs
* Reafact: combine multiple declared functions
* Refact: split code for SelectionNode from rule.rs
* Refact: mv test code for SelectionNode from rule.rs
* Refact: mv condition's code from rule.rs
* add count to detection #93
* fix compile error
* fix source to test ng. #93
* erase unused variable #93
* fix count architecture #93
* fix comment and compile error
* erase dust (response to review)
* erase dust (response to review)
* reduce calling Rulenode function (response to review)
* add aggregation output func
* erase dust(response to review) and add agg condition String func
* change error output
* reduce call RuleNode function(response to review)
* To reduce call RuleNode function
* fix test name
* fix coflicted resolve miss
* add code comment in timeframe count.
* add sort record timedata in timeframe(response to review)
* fix unnecesasry result in ArgResult
* add no field and by value count test
* create count test no field and by with timeframe
* erase duplicated timeframe data in RuleNode
* fix test error no field and no by count with timeframe
* fix test name
* add test case of exist field and by count.
* fix by count test and add test count othervalue in timeframe
* add test
* fix judge_timeframe logic when indexout
* fix test name and add count test field and by with timeframe
* adjust #120
* move associated count function from rulenode
* fix error when resolve conflict
* adjust T1197_bitsjob_started
* fix no output bug if exist output
* add alias to adapt SIGMA Rules #124
* add rule to bitsjob #130
* decilde sha1 is excepted #124
* prepare merge main
Co-authored-by: HajimeTakai <takai.wa.hajime@gmail.com>
Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>
* Feature/call error message struct#66 (#69)
* change way to use write trait #66
* change call error message struct #66
* erase finished TODO #66
* erase comment in error message format test #66
* resolve conflict #66
* Feature/call error message struct#66 (#71)
* change ERROR writeln struct #66
* under constructing
* add statistics template
* fix
* add comment
* add condition impl #93
* fix erased get_descendants and remove unnecessaly struct #93
* erased finished TODO comment
* erased finished TODO comment
* Revert "fix erased get_descendants and remove unnecessaly struct #93"
This reverts commit 82e905e045.
Revert "add condition impl #93"
This reverts commit 19ecc87377.
* add doc comment to rule function
* fix and add test doc commet
* add doc to AggregaationParseInfo
* add struct count in aggregation condition. #93
* add evaluate aggregation condition func provisional architecture. #93
* add countup function #93
* fix key to count hashmap #93
* add judge aggregation condition function #93
* fix error #93
* fix test #93
* share compile error ver
* fix detection.rs compile error
* fix timeframe parse
* add countup process in select
* fix select argument
* add test countup
* add test count judge #93
* add SIGMA windows count field and by keyword #93
* fix reference record in countup/judgecount #93
* add timedata in countup schema #93
* Refact: split code for matcher from rule.rs
* Reafact: combine multiple declared functions
* Refact: split code for SelectionNode from rule.rs
* Refact: mv test code for SelectionNode from rule.rs
* Refact: mv condition's code from rule.rs
* add count to detection #93
* fix compile error
* fix source to test ng. #93
* erase unused variable #93
* fix count architecture #93
* fix comment and compile error
* erase dust (response to review)
* erase dust (response to review)
* reduce calling Rulenode function (response to review)
* add aggregation output func
* erase dust(response to review) and add agg condition String func
* change error output
* reduce call RuleNode function(response to review)
* To reduce call RuleNode function
* fix test name
* fix coflicted resolve miss
* add code comment in timeframe count.
* add sort record timedata in timeframe(response to review)
* fix unnecesasry result in ArgResult
* add no field and by value count test
* create count test no field and by with timeframe
* erase duplicated timeframe data in RuleNode
* fix test error no field and no by count with timeframe
* fix test name
* add test case of exist field and by count.
* fix by count test and add test count othervalue in timeframe
* add test
* fix judge_timeframe logic when indexout
* fix test name and add count test field and by with timeframe
* adjust #120
* move associated count function from rulenode
* fix error when resolve conflict
* adjust T1197_bitsjob_started
* fix no output bug if exist output
* add rule to bitsjob #130
Co-authored-by: HajimeTakai <takai.wa.hajime@gmail.com>
Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>
* Feature/call error message struct#66 (#69)
* change way to use write trait #66
* change call error message struct #66
* erase finished TODO #66
* erase comment in error message format test #66
* resolve conflict #66
* Feature/call error message struct#66 (#71)
* change ERROR writeln struct #66
* under constructing
* add statistics template
* fix
* add comment
* add condition impl #93
* fix erased get_descendants and remove unnecessaly struct #93
* erased finished TODO comment
* erased finished TODO comment
* Revert "fix erased get_descendants and remove unnecessaly struct #93"
This reverts commit 82e905e045.
Revert "add condition impl #93"
This reverts commit 19ecc87377.
* add doc comment to rule function
* fix and add test doc commet
* add doc to AggregaationParseInfo
* add struct count in aggregation condition. #93
* add evaluate aggregation condition func provisional architecture. #93
* add countup function #93
* fix key to count hashmap #93
* add judge aggregation condition function #93
* fix error #93
* fix test #93
* share compile error ver
* fix detection.rs compile error
* fix timeframe parse
* add countup process in select
* fix select argument
* add test countup
* add test count judge #93
* add SIGMA windows count field and by keyword #93
* fix reference record in countup/judgecount #93
* add timedata in countup schema #93
* Refact: split code for matcher from rule.rs
* Reafact: combine multiple declared functions
* Refact: split code for SelectionNode from rule.rs
* Refact: mv test code for SelectionNode from rule.rs
* Refact: mv condition's code from rule.rs
* add count to detection #93
* fix compile error
* fix source to test ng. #93
* erase unused variable #93
* fix count architecture #93
* fix comment and compile error
* erase dust (response to review)
* erase dust (response to review)
* reduce calling Rulenode function (response to review)
* add aggregation output func
* erase dust(response to review) and add agg condition String func
* change error output
* reduce call RuleNode function(response to review)
* To reduce call RuleNode function
* fix test name
* fix coflicted resolve miss
* add code comment in timeframe count.
* add sort record timedata in timeframe(response to review)
* fix unnecesasry result in ArgResult
* add no field and by value count test
* create count test no field and by with timeframe
* erase duplicated timeframe data in RuleNode
* fix test error no field and no by count with timeframe
* fix test name
* add test case of exist field and by count.
* fix by count test and add test count othervalue in timeframe
* add test
* fix judge_timeframe logic when indexout
* fix test name and add count test field and by with timeframe
* adjust #120
* move associated count function from rulenode
* fix error when resolve conflict
* fix no output bug if exist output
Co-authored-by: HajimeTakai <takai.wa.hajime@gmail.com>
Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>
