kazuminn
54 lines
1.4 KiB
Rust
54 lines
1.4 KiB
Rust
extern crate regex;
|
|
|
|
use crate::models::event;
|
|
use regex::Regex;
|
|
use std::collections::HashMap;
|
|
|
|
pub struct AppLocker {}
|
|
|
|
impl AppLocker {
|
|
pub fn new() -> AppLocker {
|
|
AppLocker {}
|
|
}
|
|
|
|
pub fn detection(
|
|
&mut self,
|
|
event_id: String,
|
|
_system: &event::System,
|
|
_event_data: HashMap<String, String>,
|
|
) {
|
|
self.appLocker_log_warning(&event_id, &_system);
|
|
self.appLocker_log_block(&event_id, &_system);
|
|
}
|
|
|
|
fn appLocker_log_warning(&mut self, event_id: &String, system: &event::System) {
|
|
if event_id != "8003" {
|
|
return;
|
|
}
|
|
|
|
let re = Regex::new(r" was .*$").unwrap();
|
|
let default = "".to_string();
|
|
let message = &system.message.as_ref().unwrap_or(&default);
|
|
let command = re.replace_all(&message, "");
|
|
|
|
println!("Message Applocker Warning");
|
|
println!("Command : {}", command);
|
|
println!("Results : {}", message);
|
|
}
|
|
|
|
fn appLocker_log_block(&mut self, event_id: &String, system: &event::System) {
|
|
if event_id != "8004" {
|
|
return;
|
|
}
|
|
|
|
let re = Regex::new(r" was .*$").unwrap();
|
|
let default = "".to_string();
|
|
let message = &system.message.as_ref().unwrap_or(&default);
|
|
let command = re.replace_all(&message, "");
|
|
|
|
println!("Message Applocker Block");
|
|
println!("Command : {}", command);
|
|
println!("Results : {}", message);
|
|
}
|
|
}
|