Skip to content

Commit

Permalink
fix: fixed overwritten AllFieldInfo key name to ExtraFieldInfo key name
Browse files Browse the repository at this point in the history 
#1186
  • Loading branch information
@hitenkoku
hitenkoku committed Oct 12, 2023
1 parent 2c06255 commit 1718831
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 50 deletions.
20 changes: 10 additions & 10 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2046,7 +2046,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, false, false),
(false, false),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
*profile_converter.get_mut("Computer").unwrap() =
Expand All @@ -2069,7 +2069,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, false, false),
(false, false),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
let multi = message::MESSAGES.get(&expect_time).unwrap();
Expand Down Expand Up @@ -2371,7 +2371,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, false, true),
(false, false),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
*profile_converter.get_mut("Computer").unwrap() =
Expand All @@ -2394,7 +2394,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, false, true),
(false, false),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
let multi = message::MESSAGES.get(&expect_time).unwrap();
Expand Down Expand Up @@ -2686,7 +2686,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, false, false),
(false, false),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
*profile_converter.get_mut("Computer").unwrap() =
Expand All @@ -2709,7 +2709,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, false, false),
(false, false),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
let multi = message::MESSAGES.get(&expect_time).unwrap();
Expand Down Expand Up @@ -3011,7 +3011,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, true, true),
(false, true),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
*profile_converter.get_mut("Computer").unwrap() =
Expand All @@ -3034,7 +3034,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, true, true),
(false, true),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
let multi = message::MESSAGES.get(&expect_time).unwrap();
Expand Down Expand Up @@ -3558,7 +3558,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, true, true),
(false, true),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
*profile_converter.get_mut("Computer").unwrap() =
Expand Down Expand Up @@ -3821,7 +3821,7 @@ mod tests {
},
expect_time,
&profile_converter,
(false, true, true),
(false, true),
(&eventkey_alias, &FieldDataMapKey::default(), &None),
);
*profile_converter.get_mut("Computer").unwrap() =
Expand Down
16 changes: 6 additions & 10 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@ use crate::detections::utils::{
create_recordinfos, format_time, output_profile_name, write_color_buffer,
};
use crate::options::profile::Profile::{
self, AllFieldInfo, Channel, Computer, EventID, EvtxFile, Level, MitreTactics, MitreTags,
OtherTags, Provider, RecordID, RecoveredRecord, RenderedMessage, RuleAuthor, RuleCreationDate,
RuleFile, RuleID, RuleModifiedDate, RuleTitle, SrcASN, SrcCity, SrcCountry, Status, TgtASN,
TgtCity, TgtCountry, Timestamp,
self, Channel, Computer, EventID, EvtxFile, Level, MitreTactics, MitreTags, OtherTags,
Provider, RecordID, RecoveredRecord, RenderedMessage, RuleAuthor, RuleCreationDate, RuleFile,
RuleID, RuleModifiedDate, RuleTitle, SrcASN, SrcCity, SrcCountry, Status, TgtASN, TgtCity,
TgtCountry, Timestamp,
};
use chrono::{TimeZone, Utc};
use compact_str::CompactString;
Expand Down Expand Up @@ -276,7 +276,6 @@ impl Detection {
let tags_config_values: Vec<&CompactString> = TAGS_CONFIG.values().collect();
let binding = STORED_EKEY_ALIAS.read().unwrap();
let eventkey_alias = binding.as_ref().unwrap();
let mut included_all_field_info_flag = false;
let is_json_timeline = matches!(stored_static.config.action, Some(Action::JsonTimeline(_)));

for (key, profile) in stored_static.profiles.as_ref().unwrap().iter() {
Expand Down Expand Up @@ -649,9 +648,6 @@ impl Detection {
.entry("SrcCity")
.and_modify(|p| *p = SrcCity(src_data.next().unwrap().to_owned().into()));
}
AllFieldInfo(_) => {
included_all_field_info_flag = true;
}
_ => {}
}
}
Expand Down Expand Up @@ -703,7 +699,7 @@ impl Detection {
detect_info,
time,
&profile_converter,
(false, is_json_timeline, included_all_field_info_flag),
(false, is_json_timeline),
(
eventkey_alias,
&field_data_map_key,
Expand Down Expand Up @@ -926,7 +922,7 @@ impl Detection {
detect_info,
agg_result.start_timedate,
&profile_converter,
(true, is_json_timeline, false),
(true, is_json_timeline),

Check warning on line 925 in src/detections/detection.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/detection.rs#L925 

Added line #L925 was not covered by tests
(eventkey_alias, &field_data_map_key, &None),
)
}
Expand Down
40 changes: 10 additions & 30 deletions src/detections/message.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ pub fn insert(
mut detect_info: DetectInfo,
time: DateTime<Utc>,
profile_converter: &HashMap<&str, Profile>,
(is_agg, is_json_timeline, included_all_field_info): (bool, bool, bool),
(is_agg, is_json_timeline): (bool, bool),
(eventkey_alias, field_data_map_key, field_data_map): (
&EventKeyAliasConfig,
&FieldDataMapKey,
Expand Down Expand Up @@ -192,12 +192,12 @@ pub fn insert(
AllFieldInfo(_) => {
if is_agg {
replaced_profiles.push((key.to_owned(), AllFieldInfo("-".into())));
} else if record_details_info_map.get("#AllFieldInfo").is_some() {
// ExtraFieldInfoの要素の作成の際に、record_details_info_mapに要素を追加しているときにはAllFieldInfoの要素をすでに追加しているためスキップする
continue;
} else {
let recinfos =
utils::create_recordinfos(event_record, field_data_map_key, field_data_map);
let recinfos = if let Some(c) = record_details_info_map.get("#AllFieldInfo") {
c.to_owned()

Check warning on line 197 in src/detections/message.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/message.rs#L197 

Added line #L197 was not covered by tests
} else {
utils::create_recordinfos(event_record, field_data_map_key, field_data_map)
};
let rec = if recinfos.is_empty() {
"-".to_string()
} else if !is_json_timeline {
Expand Down Expand Up @@ -232,32 +232,12 @@ pub fn insert(
.iter()
.map(|x| x.split_once(": ").unwrap_or_default().1),
);
let profile_all_field_info = if let Some(all_field_info_val) =
profile_all_field_info_prof
{
all_field_info_val.to_owned()
} else {
let recinfos =
utils::create_recordinfos(event_record, field_data_map_key, field_data_map);
let rec = if recinfos.is_empty() {
"-".to_string()
} else if !is_json_timeline {
recinfos.join(" ¦ ")
let profile_all_field_info =
if let Some(all_field_info_val) = profile_all_field_info_prof {
all_field_info_val.to_owned()

Check warning on line 237 in src/detections/message.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/message.rs#L237 

Added line #L237 was not covered by tests
} else {
String::default()
utils::create_recordinfos(event_record, field_data_map_key, field_data_map)
};

if included_all_field_info {
record_details_info_map.insert("#AllFieldInfo".into(), recinfos.clone());
if is_json_timeline {
replaced_profiles.push((key.to_owned(), AllFieldInfo("".into())));
} else {
replaced_profiles
.push((key.to_owned(), AllFieldInfo(rec.clone().into())));
}
}
recinfos
};
let extra_field_vec = profile_all_field_info
.iter()
.filter(|x| {
Expand Down

0 comments on commit 1718831

Please sign in to comment.