WIP(config): added include-category and exclude-category option and r…

…eorder option #1119
Yamato-Security · Jul 3, 2023 · 1888062 · 1888062
1 parent c41b6e8
commit 1888062
Showing 1 changed file with 22 additions and 2 deletions.
diff --git a/src/detections/configs.rs b/src/detections/configs.rs
@@ -896,7 +896,7 @@ pub struct PivotKeywordOption {
     pub enable_unsupported_rules: bool,
 
     /// Ignore rules according to status (ex: experimental) (ex: stable,test)
-    #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 314)]
+    #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 315)]
     pub exclude_status: Option<Vec<String>>,
 
     /// Minimum level for rules (default: informational)
@@ -1014,13 +1014,21 @@ pub struct OutputOption {
     pub enable_unsupported_rules: bool,
 
     /// Ignore rules according to status (ex: experimental) (ex: stable,test)
-    #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 314)]
+    #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 315)]
     pub exclude_status: Option<Vec<String>>,
 
     /// Only load rules with specific tags (ex: attack.execution,attack.discovery)
     #[arg(help_heading = Some("Filtering"), long = "tags", value_name = "TAGS", use_value_delimiter = true, value_delimiter = ',', display_order = 460)]
     pub tags: Option<Vec<String>>,
 
+    /// Only load rules with certain logsource categories (ex: process_creation,pipe_created)
+    #[arg(help_heading = Some("Filtering"), long = "include-category", value_name = "CATEGORY", conflicts_with = "exclude-category", use_value_delimiter = true, value_delimiter = ',', display_order = 351)]
+    pub include_category: Option<Vec<String>>,
+
+    /// Do not load rules with certain logsource categories (ex: process_creation,pipe_created)
+    #[arg(help_heading = Some("Filtering"), long = "exclude-category", value_name = "CATEGORY", conflicts_with = "include_category",use_value_delimiter = true, value_delimiter = ',', display_order = 314)]
+    pub exclude_category: Option<Vec<String>>,
+
     /// Minimum level for rules (default: informational)
     #[arg(
         help_heading = Some("Filtering"),
@@ -1544,6 +1552,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: option.enable_unsupported_rules,
             clobber: false,
             tags: None,
+            include_category: None,
+            exclude_category: None,
         }),
         Action::Metrics(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -1572,6 +1582,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: false,
             clobber: option.clobber,
             tags: None,
+            include_category: None,
+            exclude_category: None,
         }),
         Action::LogonSummary(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -1600,6 +1612,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: false,
             clobber: option.clobber,
             tags: None,
+            include_category: None,
+            exclude_category: None,
         }),
         Action::Search(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -1635,6 +1649,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: false,
             clobber: option.clobber,
             tags: None,
+            include_category: None,
+            exclude_category: None,
         }),
         Action::SetDefaultProfile(option) => Some(OutputOption {
             input_args: InputOption {
@@ -1674,6 +1690,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: false,
             clobber: false,
             tags: None,
+            include_category: None,
+            exclude_category: None,
         }),
         Action::UpdateRules(option) => Some(OutputOption {
             input_args: InputOption {
@@ -1713,6 +1731,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: true,
             clobber: false,
             tags: None,
+            include_category: None,
+            exclude_category: None,
         }),
         _ => None,
     }