diff --git a/src/main.rs b/src/main.rs index eb9522b77..69bc3a2de 100644 --- a/src/main.rs +++ b/src/main.rs @@ -3271,4 +3271,51 @@ mod tests { assert_eq!(actual.1, 2); assert_eq!(actual.4.len(), 0); } + + #[test] + fn test_analysis_json_file_low_memory_mode() { + let mut app = App::new(None); + let mut stored_static = create_dummy_stored_static(); + *STORED_EKEY_ALIAS.write().unwrap() = Some(stored_static.eventkey_alias.clone()); + stored_static.include_eid = HashSet::from_iter(vec!["10".into()]); + stored_static.is_low_memory = true; + *STORED_STATIC.write().unwrap() = Some(stored_static.clone()); + + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'Microsoft-Windows-Sysmon/Operational' + condition: selection1 + details: testdata + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test_yaml_data = rule_yaml.next().unwrap(); + let mut rule = create_rule("testpath".to_string(), test_yaml_data); + let rule_init = rule.init(&stored_static); + assert!(rule_init.is_ok()); + let rule_files = vec![rule]; + app.rule_keys = app.get_all_keys(&rule_files); + let detection = detection::Detection::new(rule_files); + let target_time_filter = TargetEventTime::new(&stored_static); + let tl = Timeline::default(); + let target_event_ids = TargetIds::default(); + let mut afterfact_info = AfterfactInfo::default(); + let mut afterfact_writer = afterfact::init_writer(&stored_static); + + let actual = app.analysis_json_file( + ( + Path::new("test_files/evtx/test.jsonl").to_path_buf(), + &target_time_filter, + &target_event_ids, + &stored_static, + ), + detection, + tl, + &mut afterfact_writer, + &mut afterfact_info, + ); + assert_eq!(actual.1, 2); + assert_eq!(actual.4.len(), 0); + } }