Improve speed

src/afterfact.rs

@@ -101,7 +101,7 @@ pub fn set_output_color(no_color_flag: bool) -> HashMap<CompactString, Colors> {
 fn _get_output_color(color_map: &HashMap<CompactString, Colors>, level: &str) -> Option<Color> {
  let mut color = None;
  if let Some(c) = color_map.get(&CompactString::from(level.to_lowercase())) {
- color = Some(c.output_color.to_owned());
+ color = Some(c.output_color);
  }
  color
 }
@@ -112,7 +112,7 @@ fn _get_table_color(
 ) -> Option<comfy_table::Color> {
  let mut color = None;
  if let Some(c) = color_map.get(&CompactString::from(level.to_lowercase())) {
- color = Some(c.table_color.to_owned());
+ color = Some(c.table_color);
  }
  color
 }
@@ -281,7 +281,7 @@ fn emit_csv<W: std::io::Write>(
  let mut rule_title_path_map: HashMap<CompactString, CompactString> = HashMap::new();
  let mut rule_author_counter: HashMap<CompactString, i128> = HashMap::new();
 
- let levels = Vec::from(["crit", "high", "med ", "low ", "info", "undefined"]);
+ let levels = ["crit", "high", "med ", "low ", "info", "undefined"];
  // レベル別、日ごとの集計用変数の初期化
  for level_init in levels {
  detect_counts_by_date_and_level.insert(CompactString::from(level_init), HashMap::new());
@@ -291,7 +291,7 @@ fn emit_csv<W: std::io::Write>(
  if displayflag {
  println!();
  }
- let mut timestamps: Vec<i64> = Vec::new();
+ let mut timestamps: Vec<i64> = vec![0; MESSAGEKEYS.lock().unwrap().len()];
  let mut plus_header = true;
  let mut detected_record_idset: HashSet<CompactString> = HashSet::new();
 
@@ -360,7 +360,7 @@ fn emit_csv<W: std::io::Write>(
  get_writable_color(
  _get_output_color(
  &color_map,
- LEVEL_FULL.get(&detect_info.level.as_str()).unwrap_or(&""),
+ LEVEL_FULL.get(detect_info.level.as_str()).unwrap_or(&""),
  ),
  stored_static.common_options.no_color,
  ),
@@ -761,12 +761,12 @@ fn _get_serialized_disp_output(data: &Vec<(CompactString, Profile)>, header: boo
  ret.push(
  _format_cellpos(
  &d.1.to_value()
- .replace("🛂r", "\r")
- .replace("🛂n", "\n")
- .replace("🛂t", "\t")
-   .replace(['\n', '\r', '\t'], " ")
-   .split_whitespace()
-   .join(" "),
+ .replace("🛂r", "")
+ .replace("🛂n", "")
+ .replace("🛂t", ""),
+ // .replace(['\n', '\r', '\t'], " ")
+ // .split_whitespace()
+ // .join(" "),
  ColPos::First,
  )
  .replace('|', "🦅"),
@@ -775,12 +775,12 @@ fn _get_serialized_disp_output(data: &Vec<(CompactString, Profile)>, header: boo
  ret.push(
  _format_cellpos(
  &d.1.to_value()
- .replace("🛂r", "\r")
- .replace("🛂n", "\n")
- .replace("🛂t", "\t")
-   .replace(['\n', '\r', '\t'], " ")
-   .split_whitespace()
-   .join(" "),
+ .replace("🛂r", "")
+ .replace("🛂n", "")
+ .replace("🛂t", ""),
+ // .replace(['\n', '\r', '\t'], " ")
+ // .split_whitespace()
+ // .join(" "),
  ColPos::Last,
  )
  .replace('|', "🦅"),
@@ -789,12 +789,12 @@ fn _get_serialized_disp_output(data: &Vec<(CompactString, Profile)>, header: boo
  ret.push(
  _format_cellpos(
  &d.1.to_value()
- .replace("🛂r", "\r")
- .replace("🛂n", "\n")
- .replace("🛂t", "\t")
-   .replace(['\n', '\r', '\t'], " ")
-   .split_whitespace()
-   .join(" "),
+ .replace("🛂r", "")
+ .replace("🛂n", "")
+ .replace("🛂t", ""),
+ // .replace(['\n', '\r', '\t'], " ")
+ // .split_whitespace()
+ // .join(" "),
  ColPos::Other,
  )
  .replace('|', "🦅"),
@@ -933,27 +933,28 @@ fn _print_detection_summary_by_date(
  for (idx, level) in level_abbr.iter().enumerate() {
  // output_levelsはlevelsからundefinedを除外した配列であり、各要素は必ず初期化されているのでSomeであることが保証されているのでunwrapをそのまま実施
  let detections_by_day = detect_counts_by_date.get(&level[1]).unwrap();
- let mut max_detect_str = String::default();
+ let mut max_detect_str = CompactString::default();
  let mut tmp_cnt: i128 = 0;
  let mut exist_max_data = false;
  for (date, cnt) in detections_by_day {
  if cnt > &tmp_cnt {
  exist_max_data = true;
- max_detect_str = format!("{} ({})", date, cnt.to_formatted_string(&Locale::en));
+ max_detect_str =
+ format!("{} ({})", date, cnt.to_formatted_string(&Locale::en)).into();
  tmp_cnt = *cnt;
  }
  }
  wtr.set_color(ColorSpec::new().set_fg(_get_output_color(
  color_map,
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
  )))
  .ok();
  if !exist_max_data {
- max_detect_str = "n/a".to_string();
+ max_detect_str = "n/a".into();
  }
  let output_str = format!(
  "{}: {}",
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
  &max_detect_str
  );
  write!(wtr, "{output_str}").ok();
@@ -997,8 +998,8 @@ fn _print_detection_summary_by_computer(
  if stored_static.html_report_flag {
  html_output_stock.push(format!(
  "### Computers with most unique {} detections: {{#computers_with_most_unique_{}_detections}}",
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
- LEVEL_FULL.get(&level[1].as_str()).unwrap()
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap()
  ));
  for x in sorted_detections.iter() {
  html_output_stock.push(format!(
@@ -1024,13 +1025,13 @@ fn _print_detection_summary_by_computer(
 
  wtr.set_color(ColorSpec::new().set_fg(_get_output_color(
  color_map,
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
  )))
  .ok();
  writeln!(
  wtr,
  "{}: {}",
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
  &result_str
  )
  .ok();
@@ -1053,15 +1054,15 @@ fn _print_detection_summary_tables(
  let mut output = vec![];
  let mut col_color = vec![];
  for level in level_abbr.iter() {
- let mut col_output: Vec<String> = vec![];
+ let mut col_output: Nested<String> = Nested::<String>::new();
  col_output.push(format!(
  "Top {} alerts:",
- LEVEL_FULL.get(&level[1].as_str()).unwrap()
+ LEVEL_FULL.get(level[1].as_str()).unwrap()
  ));
 
  col_color.push(_get_table_color(
  color_map,
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
  ));
 
  // output_levelsはlevelsからundefinedを除外した配列であり、各要素は必ず初期化されているのでSomeであることが保証されているのでunwrapをそのまま実施
@@ -1075,8 +1076,8 @@ fn _print_detection_summary_tables(
  if stored_static.html_report_flag {
  html_output_stock.push(format!(
  "### Top {} alerts: {{#top_{}_alerts}}",
- LEVEL_FULL.get(&level[1].as_str()).unwrap(),
- LEVEL_FULL.get(&level[1].as_str()).unwrap()
+ LEVEL_FULL.get(level[1].as_str()).unwrap(),
+ LEVEL_FULL.get(level[1].as_str()).unwrap()
  ));
  for x in sorted_detections.iter() {
  html_output_stock.push(format!(
@@ -1092,7 +1093,7 @@ fn _print_detection_summary_tables(
  html_output_stock.push("");
  }
 
- let take_cnt = if "informational" == *LEVEL_FULL.get(&level[1].as_str()).unwrap_or(&"-") {
+ let take_cnt = if "informational" == *LEVEL_FULL.get(level[1].as_str()).unwrap_or(&"-") {
  10
  } else {
  5
@@ -1110,7 +1111,7 @@ fn _print_detection_summary_tables(
  take_cnt - sorted_detections.len()
  };
  for _x in 0..na_cnt {
- col_output.push("n/a".to_string());
+ col_output.push("n/a");
  }
  output.push(col_output);
  }
@@ -1132,15 +1133,15 @@ fn _print_detection_summary_tables(
  .set_style(TableComponent::BottomBorderIntersections, hlch);
 
  tb.add_row(vec![
- Cell::new(output[2 * x][1..].join("\n"))
+ Cell::new(output[2 * x].iter().skip(1).join("\n"))
  .fg(col_color[2 * x].unwrap_or(comfy_table::Color::Reset)),
- Cell::new(output[2 * x + 1][1..].join("\n"))
+ Cell::new(output[2 * x + 1].iter().skip(1).join("\n"))
  .fg(col_color[2 * x + 1].unwrap_or(comfy_table::Color::Reset)),
  ]);
  }
 
- let odd_row = &output[4][1..6];
- let even_row = &output[4][6..11];
+ let odd_row = &mut output[4].iter().skip(1).take(5);
+ let even_row = &mut output[4].iter().skip(1).take(5);
  tb.add_row(vec![
  Cell::new(&output[4][0]).fg(col_color[4].unwrap_or(comfy_table::Color::Reset)),
  Cell::new(""),
@@ -1564,7 +1565,7 @@ fn extract_author_name(yaml_path: &str, stored_static: &StoredStatic) -> Nested<
  {
  if let Some(author) = yaml["author"].as_str() {
  let mut ret = Nested::<String>::new();
- for author in author.to_string().split(',').map(|s| {
+ for author in author.split(',').map(|s| {
  // 各要素の括弧以降の記載は名前としないためtmpの一番最初の要素のみを参照する
  // データの中にdouble quote と single quoteが入っているためここで除外する
  s.split('(').next().unwrap_or_default().to_string()
@@ -1576,7 +1577,7 @@ fn extract_author_name(yaml_path: &str, stored_static: &StoredStatic) -> Nested<
  .iter()
  .map(|r| {
  r.split('/')
- .map(|p| p.to_string().replace(['"', '\''], "").trim().to_string())
+ .map(|p| p.trim().replace(['"', '\''], ""))
  .collect::<String>()
  })
  .collect();

src/detections/configs.rs

@@ -1291,7 +1291,7 @@ pub fn load_pivot_keywords(path: &str) {
  PIVOT_KEYWORD
  .write()
  .unwrap()
- .get_mut(&key.to_string())
+ .get_mut(key)
  .unwrap()
  .fields
  .insert(value.to_string());

src/detections/message.rs

@@ -190,7 +190,7 @@ pub fn parse_message(
  eventkey_alias: &EventKeyAliasConfig,
 ) -> CompactString {
  let mut return_message = output;
- let mut hash_map: HashMap<String, String> = HashMap::new();
+ let mut hash_map: HashMap<CompactString, CompactString> = HashMap::new();
  for caps in ALIASREGEX.captures_iter(&return_message) {
  let full_target_str = &caps[0];
  let target_length = full_target_str.chars().count() - 2; // The meaning of 2 is two percent
@@ -227,15 +227,15 @@ pub fn parse_message(
  let hash_value = get_serde_number_to_string(tmp_event_record);
  if hash_value.is_some() {
  if let Some(hash_value) = hash_value {
- hash_map.insert(full_target_str.to_string(), hash_value.to_string());
+ hash_map.insert(CompactString::from(full_target_str), hash_value);
  }
  } else {
- hash_map.insert(full_target_str.to_string(), "n/a".to_string());
+ hash_map.insert(CompactString::from(full_target_str), "n/a".into());
  }
  }
 
- for (k, v) in &hash_map {
- return_message = CompactString::new(return_message.replace(k, v));
+ for (k, v) in hash_map {
+ return_message = CompactString::new(return_message.replace(k.as_str(), v.as_str()));
  }
  return_message
 }

src/filter.rs

@@ -1,7 +1,9 @@
 use crate::detections::configs::{self, StoredStatic};
 use crate::detections::message::{AlertMessage, ERROR_LOG_STACK};
+use compact_str::CompactString;
 use hashbrown::HashMap;
 use regex::Regex;
+use std::borrow::Borrow;
 use std::fs::File;
 use std::io::{BufRead, BufReader};
 
@@ -13,7 +15,7 @@ pub struct DataFilterRule {
 
 #[derive(Clone, Debug)]
 pub struct RuleExclude {
- pub no_use_rule: HashMap<String, String>,
+ pub no_use_rule: HashMap<CompactString, CompactString>,
 }
 
 impl RuleExclude {
@@ -67,15 +69,13 @@ impl RuleExclude {
  return;
  }
  let reader = BufReader::new(f.unwrap());
- for v in reader.lines() {
- let v = v.unwrap().split('#').collect::<Vec<&str>>()[0]
- .trim()
- .to_string();
- if v.is_empty() || !configs::IDS_REGEX.is_match(&v) {
- // 空行は無視する。IDの検証
- continue;
+ reader.lines().for_each(|line| {
+ let line_contents = line.unwrap();
+ let v = line_contents.split('#').collect::<Vec<&str>>()[0].trim();
+ if !v.borrow().is_empty() && configs::IDS_REGEX.is_match(v) {
+ // IDのフォーマットにあっているもののみ追加する
+ self.no_use_rule.insert(v.into(), filename.into());
  }
- self.no_use_rule.insert(v, filename.to_owned());
- }
+ });
  }
 }

src/yaml.rs

@@ -243,12 +243,12 @@ impl ParseYaml {
 
  let files = yaml_docs.into_iter().filter_map(|(filepath, yaml_doc)| {
  //除外されたルールは無視する
- let rule_id = &yaml_doc["id"].as_str();
+ let rule_id = yaml_doc["id"].as_str();
  if rule_id.is_some() {
- if let Some(v) = exclude_ids
- .no_use_rule
- .get(&rule_id.unwrap_or(&String::default()).to_string())
+ if let Some(matched_rule_id) =
+ exclude_ids.no_use_rule.get(rule_id.unwrap_or_default())
  {
+ let v = matched_rule_id.as_str();
  let entry_key = if utils::contains_str(v, "exclude_rule") {
  "excluded"
  } else {