Skip to content

Commit

Permalink
fix(afterfact): added details key is none case #1145
Browse files Browse the repository at this point in the history 
style: cargo fmt

WIP:

fix(afterfact/detection/message): fixed misprocessing of details field in JSON output #1145
  • Loading branch information
@hitenkoku
hitenkoku committed Sep 13, 2023
1 parent b44109c commit 7de9af7
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 17 deletions.
63 changes: 57 additions & 6 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,6 +411,7 @@ fn emit_csv<W: std::io::Write>(
jsonl_output_flag,
GEOIP_DB_PARSER.read().unwrap().is_some(),
remove_duplicate_data_flag,
detect_info.is_condition,
&[&detect_info.details_convert_map, &prev_details_convert_map],
);
prev_message = result.1;
Expand All @@ -425,6 +426,7 @@ fn emit_csv<W: std::io::Write>(
jsonl_output_flag,
GEOIP_DB_PARSER.read().unwrap().is_some(),
remove_duplicate_data_flag,
detect_info.is_condition,
&[&detect_info.details_convert_map, &prev_details_convert_map],
);
prev_message = result.1;
Expand Down Expand Up @@ -1431,6 +1433,7 @@ pub fn output_json_str(
jsonl_output_flag: bool,
is_included_geo_ip: bool,
remove_duplicate_flag: bool,
is_condition: bool,
details_infos: &[&HashMap<CompactString, Vec<CompactString>>],
) -> (String, HashMap<CompactString, Profile>) {
let mut target: Vec<String> = vec![];
Expand Down Expand Up @@ -1538,23 +1541,71 @@ pub fn output_json_str(
}
Profile::Details(_) | Profile::AllFieldInfo(_) | Profile::ExtraFieldInfo(_) => {
let mut output_stock: Vec<String> = vec![];
output_stock.push(format!(" \"{key}\": {{"));
let details_key = match profile {
Profile::Details(_) => "Details",
Profile::AllFieldInfo(_) => "AllFieldInfo",
Profile::ExtraFieldInfo(_) => "ExtraFieldInfo",
_ => "",
};
// 個々の段階でDetails, AllFieldInfo, ExtraFieldInfoの要素はdetails_infosに格納されているのでunwrapする
let details_stocks = details_infos[0]
let mut details_target_stocks = vec![];
for details_info in details_infos {
let details_target_stock =
details_info.get(&CompactString::from(format!("#{details_key}")));
if let Some(tmp_stock) = details_target_stock {
details_target_stocks.extend(tmp_stock);
}
}

if details_infos[0]
.get(&CompactString::from(format!("#{details_key}")))
.unwrap();
for (idx, contents) in details_stocks.iter().enumerate() {
.is_none()
{
continue;
}
// aggregation conditionの場合は分解せずにそのまま出力する
if is_condition && details_key == "Details" {
if details_target_stocks.is_empty() {
output_stock.push(format!(
"{}",
_create_json_output_format(
&key,
"-",
key.starts_with('\"'),
false,
4
)
));
} else {
let joined_details_target_stock =
details_target_stocks.iter().join(" ");
let output_str_details_target_stock =
joined_details_target_stock.trim();
output_stock.push(format!(
"{}",
_create_json_output_format(
&key,
output_str_details_target_stock,
key.starts_with('\"'),
output_str_details_target_stock.starts_with('\"'),
4
)
));
}
if jsonl_output_flag {
target.push(output_stock.join(""));
} else {
target.push(output_stock.join("\n"));
}
continue;
} else {
output_stock.push(format!(" \"{key}\": {{"));
};
for (idx, contents) in details_target_stocks.iter().enumerate() {
let (key, value) = contents.split_once(": ").unwrap_or_default();
let output_key = _convert_valid_json_str(&[key], false);
let fmted_val = _convert_valid_json_str(&[value], false);

if idx != details_stocks.len() - 1 {
if idx != details_target_stocks.len() - 1 {
output_stock.push(format!(
"{},",
_create_json_output_format(
Expand Down
2 changes: 1 addition & 1 deletion src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1150,7 +1150,7 @@ impl Detection {
for alias in target_alias {
let (search_data, _) = message::parse_message(
record,
CompactString::from(alias),
&CompactString::from(alias),
eventkey_alias,
is_csv_output,
&FieldDataMapKey::default(),
Expand Down
30 changes: 20 additions & 10 deletions src/detections/message.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ pub fn insert(
//ここの段階でdetailsの内容でaliasを置き換えた内容と各種、key,valueの組み合わせのmapを取得する
let (removed_sp_parsed_detail, details_in_record) = parse_message(
event_record,
output,
&output,
eventkey_alias,
is_json_timeline,
field_data_map_key,
Expand Down Expand Up @@ -186,6 +186,16 @@ pub fn insert(
"#Details".into(),
detect_info.detail.split(" ¦ ").map(|x| x.into()).collect(),
);
if is_agg {
if output != "-" {
record_details_info_map.insert("#Details".into(), vec![output.clone()]);
} else if detect_info.detail != "-" {
record_details_info_map
.insert("#Details".into(), vec![detect_info.detail.clone()]);
} else {
record_details_info_map.insert("#Details".into(), vec!["-".into()]);
}
}
// メモリの節約のためにDetailsの中身を空にする
detect_info.detail = CompactString::default();
}
Expand Down Expand Up @@ -285,7 +295,7 @@ pub fn insert(
if let Some(p) = profile_converter.get(key.as_str()) {
let (parsed_message, _) = &parse_message(
event_record,
CompactString::new(p.to_value()),
&CompactString::new(p.to_value()),
eventkey_alias,
is_json_timeline,
field_data_map_key,
Expand All @@ -304,7 +314,7 @@ pub fn insert(
/// メッセージ内の%で囲まれた箇所をエイリアスとしてレコード情報を参照して置き換える関数
pub fn parse_message(
event_record: &Value,
output: CompactString,
output: &CompactString,
eventkey_alias: &EventKeyAliasConfig,
json_timeline_flag: bool,
field_data_map_key: &FieldDataMapKey,
Expand Down Expand Up @@ -520,7 +530,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("commandline:%CommandLine% computername:%ComputerName%"),
&CompactString::new("commandline:%CommandLine% computername:%ComputerName%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down Expand Up @@ -557,7 +567,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("alias:%NoAlias%"),
&CompactString::new("alias:%NoAlias%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down Expand Up @@ -600,7 +610,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("NoExistAlias:%NoAliasNoHit%"),
&CompactString::new("NoExistAlias:%NoAliasNoHit%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down Expand Up @@ -642,7 +652,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("commandline:%CommandLine% computername:%ComputerName%"),
&CompactString::new("commandline:%CommandLine% computername:%ComputerName%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down Expand Up @@ -689,7 +699,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("commandline:%CommandLine% data:%Data%"),
&CompactString::new("commandline:%CommandLine% data:%Data%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down Expand Up @@ -736,7 +746,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("commandline:%CommandLine% data:%Data[2]%"),
&CompactString::new("commandline:%CommandLine% data:%Data[2]%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down Expand Up @@ -783,7 +793,7 @@ mod tests {
assert_eq!(
parse_message(
&event_record,
CompactString::new("commandline:%CommandLine% data:%Data[0]%"),
&CompactString::new("commandline:%CommandLine% data:%Data[0]%"),
&load_eventkey_alias(
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
Expand Down
1 change: 1 addition & 0 deletions src/timeline/search.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,6 +465,7 @@ pub fn search_result_dsp_msg(
jsonl_output,
false,
false,
false,
&[&HashMap::default(), &HashMap::default()],
);

Expand Down

0 comments on commit 7de9af7

Please sign in to comment.