Skip to content

Commit

Permalink
fix: change correlation type when ref rule is correlation
Browse files Browse the repository at this point in the history
  • Loading branch information
@fukusuket
fukusuket committed Dec 22, 2024
1 parent d6e2219 commit 476b5f9
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 13 deletions.
15 changes: 5 additions & 10 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,20 +248,15 @@ impl Detection {
continue;
}
for value in rule.judge_satisfy_aggcondition(stored_static) {
if let CorrelationType::TemporalRef(_, uuid) = &rule.correlation_type {
let mut output = false;
if let CorrelationType::TemporalRef(generate, uuid) = &rule.correlation_type {
detected_temporal_refs
.entry(uuid.clone())
.or_insert_with(Vec::new)
.push(value.clone());
} else {
if CorrelationType::ValueCount == rule.correlation_type
|| CorrelationType::EventCount == rule.correlation_type
{
detected_temporal_refs
.entry(rule.yaml["name"].as_str().unwrap_or_default().to_string())
.or_insert_with(Vec::new)
.push(value.clone());
}
output = *generate;
}
if output {
ret.push(Detection::create_agg_log_record(rule, value, stored_static));
}
}
Expand Down
5 changes: 2 additions & 3 deletions src/detections/rule/correlation_parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -354,10 +354,9 @@ fn parse_temporal_rules(
.unwrap_or_default();
let mut new_yaml = other_rule.yaml.clone();
if other_rule.correlation_type != CorrelationType::None {
other_rule.correlation_type =
CorrelationType::TemporalRef(generate, ref_id.to_string());
temporal_ref_ids.push(Yaml::String(ref_id.to_string()));
if !generate {
referenced_del_ids.insert(ref_id.to_string());
}
continue;
}
let new_id = Uuid::new_v4().to_string();
Expand Down

0 comments on commit 476b5f9

Please sign in to comment.