Merge branch 'main' into add-support-correlation-rule-name-lookup

Yamato-Security · Jun 15, 2024 · 1c37fed · 1c37fed
2 parents 13f4db8 + f0e9b7b
commit 1c37fed
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 35 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,7 +12,7 @@ aho-corasick = "*"
 base64 = "*"
 bytesize = "1.*"
 chrono = "0.4.*"
-cidr-utils = "0.5.*"
+cidr-utils = "0.6.*"
 clap = { version = "4.*", features = ["derive", "cargo", "color"]}
 comfy-table = "7.*"
 compact_str = "0.7.*"

diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs
@@ -1,5 +1,6 @@
 use base64::{engine::general_purpose, Engine as _};
-use cidr_utils::cidr::{IpCidr, IpCidrError};
+use cidr_utils::cidr::errors::NetworkParseError;
+use cidr_utils::cidr::IpCidr;
 use nested::Nested;
 use regex::Regex;
 use std::net::IpAddr;
@@ -568,7 +569,7 @@ impl LeafMatcher for DefaultMatcher {
  let event_value_str = event_value.unwrap_or(&val);
  let event_ip = IpAddr::from_str(event_value_str);
  match event_ip {
- Ok(target_ip) => Some(matcher_ip.contains(target_ip)),
+ Ok(target_ip) => Some(matcher_ip.contains(&target_ip)),
  Err(_) => Some(false), //IPアドレス以外の形式のとき
  }
  }
@@ -648,7 +649,7 @@ enum PipeElement {
  Endswithfield(String),
  Base64offset,
  Windash,
- Cidr(Result<IpCidr, IpCidrError>),
+ Cidr(Result<IpCidr, NetworkParseError>),
  All,
  AllOnly,
 }

diff --git a/src/options/geoip_search.rs b/src/options/geoip_search.rs
@@ -60,24 +60,7 @@ impl GeoIPSearch {
  let private_cidr = if target_ip.is_ipv4() {
  vec![
  IpCidr::from_str("10/8").unwrap(),
- // 172.16.0.0/12 private IP address is not defined "172.16/12"
- IpCidr::from_str("172.16").unwrap(),
- IpCidr::from_str("172.17").unwrap(),
- IpCidr::from_str("172.18").unwrap(),
- IpCidr::from_str("172.19").unwrap(),
- IpCidr::from_str("172.20").unwrap(),
- IpCidr::from_str("172.20").unwrap(),
- IpCidr::from_str("172.21").unwrap(),
- IpCidr::from_str("172.22").unwrap(),
- IpCidr::from_str("172.23").unwrap(),
- IpCidr::from_str("172.24").unwrap(),
- IpCidr::from_str("172.25").unwrap(),
- IpCidr::from_str("172.26").unwrap(),
- IpCidr::from_str("172.27").unwrap(),
- IpCidr::from_str("172.28").unwrap(),
- IpCidr::from_str("172.29").unwrap(),
- IpCidr::from_str("172.30").unwrap(),
- IpCidr::from_str("172.31").unwrap(),
+ IpCidr::from_str("172.16/12").unwrap(),
  IpCidr::from_str("192.168/16").unwrap(),
  ]
  } else {
@@ -86,12 +69,12 @@ impl GeoIPSearch {
  IpCidr::from_str("2000::/3").unwrap(), // IPv6 Global Unicast
  IpCidr::from_str("FE80::/10").unwrap(), // IPv6 Link Local Unicast
  IpCidr::from_str("FC00::/7").unwrap(), // IPv6 Unique Local Address
- IpCidr::from_str("FD00::/7").unwrap(), // IPv6 Unique Local Address
+ IpCidr::from_str("FD00::/8").unwrap(), // IPv6 Unique Local Address
  IpCidr::from_str("FF00::/8").unwrap(), // IPv6 Multicast Address
  ]
  };
  for cidr in private_cidr {
- if cidr.contains(*target_ip) {
+ if cidr.contains(target_ip) {
  return true;
  }
  }