Skip to content

Commit

Permalink
Merge branch 'main' into 1083-cant-used-json-input-from-json-export-f…
Browse files Browse the repository at this point in the history
…rom-splunk
  • Loading branch information
YamatoSecurity authored Feb 28, 2024
2 parents a22d3af + 6f98edd commit 23d0d66
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG-Japanese.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
- 指定した`status`のルールのみを利用する`--include-status`オプションを追加した。 (#1193) (@hitenkoku)
- 未使用のクレートを削除した。(@YamatoSecurity)
- SplunkからエクスポートしたJSONファイルの入力に対応した。 (#1083) (@hitenkoku)
- パフォーマンスの改善 (#1277, #1278) (@fukusuket)

**バグ修正:**

Expand Down
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@

- Added `--include-status` option: You can specify rules based on their `status`. (#1193) (@hitenkoku)
- Removed unused crates. (@YamatoSecurity)
- Adjusted JSON input file exported from Splunk. (#1083) (@hitenkoku)
- JSON input now supports the format exported from Splunk. (#1083) (@hitenkoku)
- Performance enchancements. (#1277, #1278) (@fukusuket)

**Bug Fixes:**

Expand Down
16 changes: 8 additions & 8 deletions src/detections/rule/aggregation_parser.rs
Original file line number Diff line number Diff line change
Expand Up @@ -88,29 +88,29 @@ impl AggegationConditionCompiler {
&self,
condition_str: String,
) -> Result<Vec<AggregationConditionToken>, String> {
let mut cur_condition_str = condition_str;
let mut cur_condition_str = condition_str.as_str();

let mut tokens = Vec::new();
while !cur_condition_str.is_empty() {
let captured = self::AGGREGATION_REGEXMAP.iter().find_map(|regex| {
return regex.captures(cur_condition_str.as_str());
return regex.captures(cur_condition_str);
});
if captured.is_none() {
// トークンにマッチしないのはありえないという方針でパースしています。
return Result::Err("An unusable character was found.".to_string());
}

let mached_str = captured.unwrap().get(0).unwrap().as_str();
let token = self.to_enum(mached_str.to_string());
let matched_str = captured.unwrap().get(0).unwrap().as_str();
let token = self.to_enum(matched_str);

if let AggregationConditionToken::Space = token {
// 空白は特に意味ないので、読み飛ばす。
cur_condition_str = cur_condition_str.replacen(mached_str, "", 1);
cur_condition_str = &cur_condition_str[matched_str.len()..];
continue;
}

tokens.push(token);
cur_condition_str = cur_condition_str.replacen(mached_str, "", 1);
cur_condition_str = &cur_condition_str[matched_str.len()..];
}

Result::Ok(tokens)
Expand Down Expand Up @@ -226,7 +226,7 @@ impl AggegationConditionCompiler {
}

/// 文字列をConditionTokenに変換する。
fn to_enum(&self, token: String) -> AggregationConditionToken {
fn to_enum(&self, token: &str) -> AggregationConditionToken {
if token.starts_with("count(") {
let count_field = token
.replacen("count(", "", 1)
Expand All @@ -248,7 +248,7 @@ impl AggegationConditionCompiler {
} else if token == ">" {
AggregationConditionToken::GT
} else {
AggregationConditionToken::Keyword(token)
AggregationConditionToken::Keyword(token.to_string())
}
}
}
Expand Down
18 changes: 9 additions & 9 deletions src/detections/rule/condition_parser.rs
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ impl ConditionToken {
};
}

pub fn to_condition_token(token: String) -> ConditionToken {
pub fn to_condition_token(token: &str) -> ConditionToken {
if token == "(" {
ConditionToken::LeftParenthesis
} else if token == ")" {
Expand All @@ -105,7 +105,7 @@ impl ConditionToken {
} else if token == "or" {
ConditionToken::Or
} else {
ConditionToken::SelectionReference(token)
ConditionToken::SelectionReference(token.to_string())
}
}
}
Expand All @@ -130,7 +130,7 @@ impl ConditionCompiler {
let captured = self::RE_PIPE.captures(condition_str.as_str());
let replaced_condition = if let Some(cap) = captured {
let captured = cap.get(0).unwrap().as_str();
condition_str.replacen(captured, "", 1)
condition_str.replace(captured, "")
} else {
condition_str.to_string()
};
Expand Down Expand Up @@ -191,28 +191,28 @@ impl ConditionCompiler {

/// 字句解析を行う
fn tokenize(&self, condition_str: &str) -> Result<Vec<ConditionToken>, String> {
let mut cur_condition_str = condition_str.to_string();
let mut cur_condition_str = condition_str;

let mut tokens = Vec::new();
while !cur_condition_str.is_empty() {
let captured = self::CONDITION_REGEXMAP.iter().find_map(|regex| {
return regex.captures(cur_condition_str.as_str());
return regex.captures(cur_condition_str);
});
if captured.is_none() {
// トークンにマッチしないのはありえないという方針でパースしています。
return Result::Err("An unusable character was found.".to_string());
}

let mached_str = captured.unwrap().get(0).unwrap().as_str();
let token = ConditionToken::to_condition_token(mached_str.to_string());
let matched_str = captured.unwrap().get(0).unwrap().as_str();
let token = ConditionToken::to_condition_token(matched_str);
if let ConditionToken::Space = token {
// 空白は特に意味ないので、読み飛ばす。
cur_condition_str = cur_condition_str.replacen(mached_str, "", 1);
cur_condition_str = &cur_condition_str[matched_str.len()..];
continue;
}

tokens.push(token);
cur_condition_str = cur_condition_str.replacen(mached_str, "", 1);
cur_condition_str = &cur_condition_str[matched_str.len()..];
}

Result::Ok(tokens)
Expand Down

0 comments on commit 23d0d66

Please sign in to comment.