From 9c999501fe0ae24c506bb4205dd0573ff2b86cda Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 5 Apr 2023 22:22:08 +0900 Subject: [PATCH] perf: replaced trim method in afterfact with process in detection --- src/afterfact.rs | 2 +- src/detections/detection.rs | 30 +++++++++++++++++------------- src/detections/message.rs | 2 +- src/detections/utils.rs | 2 +- 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 40bebe1ad..ba46e9ed6 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -397,7 +397,7 @@ fn emit_csv( wtr.write_record(detect_info.ext_field.iter().map(|x| { output_remover.replace_all( &output_replacer.replace_all( - x.1.to_value().trim(), + &x.1.to_value(), &output_replaced_maps.values().collect_vec(), ), &removed_replaced_maps.values().collect_vec(), diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 205c02a69..80bdd6ea3 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -277,7 +277,8 @@ impl Detection { key.as_str(), Computer( record_info.record["Event"]["System"]["Computer"] - .to_string() + .as_str() + .unwrap_or_default() .replace('\"', "") .into(), ), @@ -303,11 +304,13 @@ impl Detection { } Level(_) => { let str_level = level.as_str(); - let prof_level = LEVEL_ABBR_MAP - .get(str_level) - .unwrap_or(&str_level) - .to_string(); - profile_converter.insert(key.as_str(), Level(prof_level.into())); + let abbr_level = LEVEL_ABBR_MAP.get(str_level).unwrap_or(&str_level); + let prof_level = if stored_static.output_path.is_none() { + abbr_level + } else { + abbr_level.trim() + }; + profile_converter.insert(key.as_str(), Level(prof_level.to_string().into())); } EventID(_) => { profile_converter.insert(key.as_str(), EventID(eid.to_string().into())); @@ -350,7 +353,7 @@ impl Detection { } MitreTactics(_) => { let tactics = CompactString::from( - &tag_info + tag_info .iter() .filter(|x| tags_config_values.contains(&&CompactString::from(*x))) .join(" ¦ "), @@ -695,12 +698,13 @@ impl Detection { } Level(_) => { let str_level = level.as_str(); - let prof_level = LEVEL_ABBR_MAP - .get(str_level) - .unwrap_or(&str_level) - .to_string(); - - profile_converter.insert(key.as_str(), Level(prof_level.into())); + let abbr_level = LEVEL_ABBR_MAP.get(str_level).unwrap_or(&str_level); + let prof_level = if stored_static.output_path.is_none() { + abbr_level + } else { + abbr_level.trim() + }; + profile_converter.insert(key.as_str(), Level(prof_level.to_string().into())); } EventID(_) => { profile_converter.insert(key.as_str(), EventID("-".into())); diff --git a/src/detections/message.rs b/src/detections/message.rs index 13371cfd7..26f89ba38 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -164,7 +164,7 @@ pub fn insert( )) } _ => { - if let Some(p) = profile_converter.get(key.to_string().as_str()) { + if let Some(p) = profile_converter.get(key.as_str()) { replaced_profiles.push(( key.to_owned(), profile.convert(&parse_message( diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 4ac3eb457..02e08e27f 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -437,7 +437,7 @@ fn _collect_recordinfo<'a>( * 最初の文字を大文字にする関数 */ pub fn make_ascii_titlecase(s: &str) -> CompactString { - let mut c = s.chars(); + let mut c = s.trim().chars(); match c.next() { None => CompactString::default(), Some(f) => {