From 476b5f9f5c80fd989ba630df7f04c7f73295d8c9 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 22 Dec 2024 10:07:22 +0900 Subject: [PATCH] fix: change correlation type when ref rule is correlation --- src/detections/detection.rs | 15 +++++---------- src/detections/rule/correlation_parser.rs | 5 ++--- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 601a58fac..4c6801856 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -248,20 +248,15 @@ impl Detection { continue; } for value in rule.judge_satisfy_aggcondition(stored_static) { - if let CorrelationType::TemporalRef(_, uuid) = &rule.correlation_type { + let mut output = false; + if let CorrelationType::TemporalRef(generate, uuid) = &rule.correlation_type { detected_temporal_refs .entry(uuid.clone()) .or_insert_with(Vec::new) .push(value.clone()); - } else { - if CorrelationType::ValueCount == rule.correlation_type - || CorrelationType::EventCount == rule.correlation_type - { - detected_temporal_refs - .entry(rule.yaml["name"].as_str().unwrap_or_default().to_string()) - .or_insert_with(Vec::new) - .push(value.clone()); - } + output = *generate; + } + if output { ret.push(Detection::create_agg_log_record(rule, value, stored_static)); } } diff --git a/src/detections/rule/correlation_parser.rs b/src/detections/rule/correlation_parser.rs index abaab8c0a..0e1ba2fa8 100644 --- a/src/detections/rule/correlation_parser.rs +++ b/src/detections/rule/correlation_parser.rs @@ -354,10 +354,9 @@ fn parse_temporal_rules( .unwrap_or_default(); let mut new_yaml = other_rule.yaml.clone(); if other_rule.correlation_type != CorrelationType::None { + other_rule.correlation_type = + CorrelationType::TemporalRef(generate, ref_id.to_string()); temporal_ref_ids.push(Yaml::String(ref_id.to_string())); - if !generate { - referenced_del_ids.insert(ref_id.to_string()); - } continue; } let new_id = Uuid::new_v4().to_string();