test: add allowlist/regexes rule test files

src/detections/rule/matchers.rs

@@ -1106,8 +1106,8 @@ mod tests {
                     - ホスト アプリケーション
                 ImagePath:
                     min_length: 1234321
-                    regexes: rules/config/regex/detectlist_suspicous_services.txt
-                    allowlist: rules/config/regex/allowlist_legitimate_services.txt
+                    regexes: test_files/config/regex/detectlist_suspicous_services.txt
+                    allowlist: test_files/config/regex/allowlist_legitimate_services.txt
         falsepositives:
             - unknown
         level: medium
@@ -1588,7 +1588,7 @@ mod tests {
             selection:
                 EventID: 4103
                 Channel:
-                    - allowlist: rules/config/regex/allowlist_legitimate_services.txt
+                    - allowlist: test_files/config/regex/allowlist_legitimate_services.txt
         details: 'command=%CommandLine%'
         "#;
 
@@ -1612,7 +1612,7 @@ mod tests {
             selection:
                 EventID: 4103
                 Channel:
-                    - allowlist: rules/config/regex/allowlist_legitimate_services.txt
+                    - allowlist: test_files/config/regex/allowlist_legitimate_services.txt
         details: 'command=%CommandLine%'
         "#;
 
@@ -1636,7 +1636,7 @@ mod tests {
             selection:
                 EventID: 4103
                 Channel:
-                    - allowlist: rules/config/regex/allowlist_legitimate_services.txt
+                    - allowlist: test_files/config/regex/allowlist_legitimate_services.txt
         details: 'command=%CommandLine%'
         "#;
 

src/detections/utils.rs

@@ -897,7 +897,7 @@ mod tests {
     #[test]
     fn test_check_regex() {
         let regexes: Vec<Regex> =
-            utils::read_txt("rules/config/regex/detectlist_suspicous_services.txt")
+            utils::read_txt("test_files/config/regex/detectlist_suspicous_services.txt")
                 .unwrap()
                 .iter()
                 .map(|regex_str| Regex::new(regex_str).unwrap())
@@ -913,7 +913,7 @@ mod tests {
     fn test_check_allowlist() {
         let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\"";
         let allowlist: Vec<Regex> =
-            utils::read_txt("rules/config/regex/allowlist_legitimate_services.txt")
+            utils::read_txt("test_files/config/regex/allowlist_legitimate_services.txt")
                 .unwrap()
                 .iter()
                 .map(|allow_str| Regex::new(allow_str).unwrap())

test_files/config/regex/allowlist_legitimate_services.txt

@@ -0,0 +1,2 @@
+^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
+^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"

test_files/config/regex/detectlist_suspicous_services.txt

@@ -0,0 +1,16 @@
+^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$
+powershell.*FromBase64String.*IO.Compression.GzipStream
+DownloadString\(.http
+.*(?i)mimikatz.*
+.*(?i)mimidvr.*
+Invoke-Mimikatz.ps
+PowerSploit.*ps1
+[a-zA-Z0-9/+=]{500}
+.*(?i)powershell.*
+.*(?i)cmd.*
+\\csc\.exe
+\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline
+\\cvtres\.exe.*
+\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp
+^[a-zA-Z]{22}$
+^[a-zA-Z]{16}$