feat: Support 1 of selection* and all of selection*

[fukusuket]

What Changed

• Fixed Enhancement: support 1 of selection* and all of selection* #956
• Added rule conditions: block conversion process internally with the following specifications before rule compilation/tokenize
  • 1 of selection* -> (select1 or select2 or select3)
  • all of selection* -> (select1 and select2 and select3)

Evidence

Environment

• OS: macOS montery version 13.1
• Hard: Macbook Air(M1, 2020) , Memory 8GB, Core 8

Test1

Detection count
of rule which has 1 of selection_* is the same before/after.

• main: ./hayabusa-2.2.2 -d ... -r hayabusa-rules/win_security_pass_the_hash_2.yml
• This PR: ./hayabusa-new -d ... -r Sigma/win_security_pass_the_hash_2.yml

The result of the above two commands is as follows

Total | Unique medium detections: 48 (100.00%) | 1 (100.00%)
...
│ Top medium alerts:              Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Pass the Hash Activity 2 (48)

Test2

Detection count
of rule which has 1 of filter_* and all of suspicious2* is the same before/after.

• main: ./hayabusa-2.2.2 -d ... -r hayabusa-rules/win_system_susp_service_installation.yml
• This PR: ./hayabusa-new -d ... -r Sigma/win_system_susp_service_installation.yml

The result of the above two commands is as follows

Total | Unique high detections: 12 (100.00%) | 1 (100.00%)
...
│ Top critical alerts:        Top high alerts:                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         Suspicious Service Installation (12)

Benchmark1

Data: evtx-baseline v0.7
Command: ./hayabusa csv-timeline -d ./all-evtx -o out.csv --debug

Version	Elapsed time	Memory(peak)	Events with hits / Total events	Output file size(bytes)
main	00:06:38.867	3.8 GiB	1,594,761 / 4,817,181	575641441
This PR	00:06:40.312	3.8 GiB	1,594,761 / 4,817,181	575641441

Benchmark2

Data: hayabusa-sample-evtx
Command: ./hayabusa csv-timeline -d ./all-evtx -o out.csv --debug

Version	Elapsed time	Memory(peak)	Events with hits / Total events	Output file size(bytes)
main	00:00:06.862	1.0 GiB	19,616 / 47,465	16181402
This PR	00:00:06.878	1.0 GiB	19,616 / 47,465	16181402

I would appreciate it if you could review🙏

[hitenkoku]

Thanks for your pull request.
LGTM

[YamatoSecurity]

LGTM! Thank you so much!

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.35 🎉

Comparison is base (f6c68e7) 74.72% compared to head (346dd5a) 75.08%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #957      +/-   ##
==========================================
+ Coverage   74.72%   75.08%   +0.35%     
==========================================
  Files          24       24              
  Lines       16388    16624     +236     
==========================================
+ Hits        12246    12482     +236     
  Misses       4142     4142              

Impacted Files	Coverage Δ
src/detections/rule/condition_parser.rs	96.96% <100.00%> (+0.58%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.