fix: fixed duplicate field in extrafieldinfo to powershell log #1186

Yamato-Security · Oct 12, 2023 · 2c06255 · 2c06255
1 parent c158988
commit 2c06255
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 12 deletions.
diff --git a/src/detections/message.rs b/src/detections/message.rs
@@ -127,6 +127,7 @@ pub fn insert(
     ),
 ) {
     let mut record_details_info_map = HashMap::new();
+    let mut sp_removed_details_in_record_trim_newline = vec![];
     if !is_agg {
         //ここの段階でdetailsの内容でaliasを置き換えた内容と各種、key,valueの組み合わせのmapを取得する
         let (removed_sp_parsed_detail, details_in_record) = parse_message(
@@ -140,12 +141,13 @@ pub fn insert(
 
         let mut sp_removed_details_in_record = vec![];
         details_in_record.iter().for_each(|v| {
-            sp_removed_details_in_record.push(remove_sp_char(v.clone()));
+            sp_removed_details_in_record.push(remove_sp_char(v.clone(), true));
+            sp_removed_details_in_record_trim_newline.push(remove_sp_char(v.clone(), false));
         });
         record_details_info_map.insert("#Details".into(), sp_removed_details_in_record);
         // 特殊文字の除外のためのretain処理
         // Details内にある改行文字は除外しないために絵文字を含めた特殊な文字に変換することで対応する
-        let parsed_detail = remove_sp_char(removed_sp_parsed_detail);
+        let parsed_detail = remove_sp_char(removed_sp_parsed_detail, true);
         detect_info.detail = if parsed_detail.is_empty() {
             CompactString::from("-")
         } else {
@@ -223,13 +225,10 @@ pub fn insert(
                     }
                     continue;
                 }
-                let empty = vec![];
                 let record_details_info_ref = record_details_info_map.clone();
                 let profile_all_field_info_prof = record_details_info_ref.get("#AllFieldInfo");
                 let details_splits: HashSet<&str> = HashSet::from_iter(
-                    record_details_info_ref
-                        .get("#Details")
-                        .unwrap_or(&empty)
+                    sp_removed_details_in_record_trim_newline
                         .iter()
                         .map(|x| x.split_once(": ").unwrap_or_default().1),
                 );

diff --git a/src/detections/utils.rs b/src/detections/utils.rs
@@ -403,11 +403,12 @@ pub fn create_recordinfos(
                             .strip_suffix(',')
                             .unwrap_or(&converted_str)
                             .into(),
+                        true,
                     );
                     return format!("{key}: {val}").into();
                 }
             }
-            let val = remove_sp_char(value.strip_suffix(',').unwrap_or(value).into());
+            let val = remove_sp_char(value.strip_suffix(',').unwrap_or(value).into(), true);
             format!("{key}: {val}").into()
         })
         .collect()
@@ -697,11 +698,22 @@ pub fn output_duration(d: Duration) -> String {
     format!("{h:02}:{m:02}:{s:02}.{ms:03}")
 }
 
-pub fn remove_sp_char(record_value: CompactString) -> CompactString {
-    let mut newline_replaced_cs = record_value
-        .replace('\n', "🛂n")
-        .replace('\r', "🛂r")
-        .replace('\t', "🛂t");
+pub fn remove_sp_char(record_value: CompactString, remain_newline: bool) -> CompactString {
+    let mut newline_replaced_cs: String = if remain_newline {
+        record_value
+            .replace('\n', "🛂n")
+            .replace('\r', "🛂r")
+            .replace('\t', "🛂t")
+    } else {
+        record_value.chars().fold(String::default(), |mut acc, c| {
+            if c.is_control() || c.is_ascii_whitespace() {
+                acc.push(' ');
+            } else {
+                acc.push(c);
+            };
+            acc
+        })
+    };
     let mut prev = 'a';
     newline_replaced_cs.retain(|ch| {
         let retain_flag = (prev == ' ' && ch == ' ') || ch.is_control();