From 1718831307942c784b4969e317c2035bfe4dff53 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 13 Oct 2023 00:33:12 +0900 Subject: [PATCH] fix: fixed overwritten AllFieldInfo key name to ExtraFieldInfo key name #1186 --- src/afterfact.rs | 20 +++++++++---------- src/detections/detection.rs | 16 ++++++--------- src/detections/message.rs | 40 ++++++++++--------------------------- 3 files changed, 26 insertions(+), 50 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 23d8c63b6..0fd14b484 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -2046,7 +2046,7 @@ mod tests { }, expect_time, &profile_converter, - (false, false, false), + (false, false), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); *profile_converter.get_mut("Computer").unwrap() = @@ -2069,7 +2069,7 @@ mod tests { }, expect_time, &profile_converter, - (false, false, false), + (false, false), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); let multi = message::MESSAGES.get(&expect_time).unwrap(); @@ -2371,7 +2371,7 @@ mod tests { }, expect_time, &profile_converter, - (false, false, true), + (false, false), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); *profile_converter.get_mut("Computer").unwrap() = @@ -2394,7 +2394,7 @@ mod tests { }, expect_time, &profile_converter, - (false, false, true), + (false, false), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); let multi = message::MESSAGES.get(&expect_time).unwrap(); @@ -2686,7 +2686,7 @@ mod tests { }, expect_time, &profile_converter, - (false, false, false), + (false, false), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); *profile_converter.get_mut("Computer").unwrap() = @@ -2709,7 +2709,7 @@ mod tests { }, expect_time, &profile_converter, - (false, false, false), + (false, false), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); let multi = message::MESSAGES.get(&expect_time).unwrap(); @@ -3011,7 +3011,7 @@ mod tests { }, expect_time, &profile_converter, - (false, true, true), + (false, true), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); *profile_converter.get_mut("Computer").unwrap() = @@ -3034,7 +3034,7 @@ mod tests { }, expect_time, &profile_converter, - (false, true, true), + (false, true), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); let multi = message::MESSAGES.get(&expect_time).unwrap(); @@ -3558,7 +3558,7 @@ mod tests { }, expect_time, &profile_converter, - (false, true, true), + (false, true), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); *profile_converter.get_mut("Computer").unwrap() = @@ -3821,7 +3821,7 @@ mod tests { }, expect_time, &profile_converter, - (false, true, true), + (false, true), (&eventkey_alias, &FieldDataMapKey::default(), &None), ); *profile_converter.get_mut("Computer").unwrap() = diff --git a/src/detections/detection.rs b/src/detections/detection.rs index d9040e98a..c4d9fec19 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -5,10 +5,10 @@ use crate::detections::utils::{ create_recordinfos, format_time, output_profile_name, write_color_buffer, }; use crate::options::profile::Profile::{ - self, AllFieldInfo, Channel, Computer, EventID, EvtxFile, Level, MitreTactics, MitreTags, - OtherTags, Provider, RecordID, RecoveredRecord, RenderedMessage, RuleAuthor, RuleCreationDate, - RuleFile, RuleID, RuleModifiedDate, RuleTitle, SrcASN, SrcCity, SrcCountry, Status, TgtASN, - TgtCity, TgtCountry, Timestamp, + self, Channel, Computer, EventID, EvtxFile, Level, MitreTactics, MitreTags, OtherTags, + Provider, RecordID, RecoveredRecord, RenderedMessage, RuleAuthor, RuleCreationDate, RuleFile, + RuleID, RuleModifiedDate, RuleTitle, SrcASN, SrcCity, SrcCountry, Status, TgtASN, TgtCity, + TgtCountry, Timestamp, }; use chrono::{TimeZone, Utc}; use compact_str::CompactString; @@ -276,7 +276,6 @@ impl Detection { let tags_config_values: Vec<&CompactString> = TAGS_CONFIG.values().collect(); let binding = STORED_EKEY_ALIAS.read().unwrap(); let eventkey_alias = binding.as_ref().unwrap(); - let mut included_all_field_info_flag = false; let is_json_timeline = matches!(stored_static.config.action, Some(Action::JsonTimeline(_))); for (key, profile) in stored_static.profiles.as_ref().unwrap().iter() { @@ -649,9 +648,6 @@ impl Detection { .entry("SrcCity") .and_modify(|p| *p = SrcCity(src_data.next().unwrap().to_owned().into())); } - AllFieldInfo(_) => { - included_all_field_info_flag = true; - } _ => {} } } @@ -703,7 +699,7 @@ impl Detection { detect_info, time, &profile_converter, - (false, is_json_timeline, included_all_field_info_flag), + (false, is_json_timeline), ( eventkey_alias, &field_data_map_key, @@ -926,7 +922,7 @@ impl Detection { detect_info, agg_result.start_timedate, &profile_converter, - (true, is_json_timeline, false), + (true, is_json_timeline), (eventkey_alias, &field_data_map_key, &None), ) } diff --git a/src/detections/message.rs b/src/detections/message.rs index 9d7f3090f..f7ff2a640 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -119,7 +119,7 @@ pub fn insert( mut detect_info: DetectInfo, time: DateTime, profile_converter: &HashMap<&str, Profile>, - (is_agg, is_json_timeline, included_all_field_info): (bool, bool, bool), + (is_agg, is_json_timeline): (bool, bool), (eventkey_alias, field_data_map_key, field_data_map): ( &EventKeyAliasConfig, &FieldDataMapKey, @@ -192,12 +192,12 @@ pub fn insert( AllFieldInfo(_) => { if is_agg { replaced_profiles.push((key.to_owned(), AllFieldInfo("-".into()))); - } else if record_details_info_map.get("#AllFieldInfo").is_some() { - // ExtraFieldInfoの要素の作成の際に、record_details_info_mapに要素を追加しているときにはAllFieldInfoの要素をすでに追加しているためスキップする - continue; } else { - let recinfos = - utils::create_recordinfos(event_record, field_data_map_key, field_data_map); + let recinfos = if let Some(c) = record_details_info_map.get("#AllFieldInfo") { + c.to_owned() + } else { + utils::create_recordinfos(event_record, field_data_map_key, field_data_map) + }; let rec = if recinfos.is_empty() { "-".to_string() } else if !is_json_timeline { @@ -232,32 +232,12 @@ pub fn insert( .iter() .map(|x| x.split_once(": ").unwrap_or_default().1), ); - let profile_all_field_info = if let Some(all_field_info_val) = - profile_all_field_info_prof - { - all_field_info_val.to_owned() - } else { - let recinfos = - utils::create_recordinfos(event_record, field_data_map_key, field_data_map); - let rec = if recinfos.is_empty() { - "-".to_string() - } else if !is_json_timeline { - recinfos.join(" ¦ ") + let profile_all_field_info = + if let Some(all_field_info_val) = profile_all_field_info_prof { + all_field_info_val.to_owned() } else { - String::default() + utils::create_recordinfos(event_record, field_data_map_key, field_data_map) }; - - if included_all_field_info { - record_details_info_map.insert("#AllFieldInfo".into(), recinfos.clone()); - if is_json_timeline { - replaced_profiles.push((key.to_owned(), AllFieldInfo("".into()))); - } else { - replaced_profiles - .push((key.to_owned(), AllFieldInfo(rec.clone().into()))); - } - } - recinfos - }; let extra_field_vec = profile_all_field_info .iter() .filter(|x| {