fix(search): removed newline characters in search command output #1253

Yamato-Security · Feb 1, 2024 · a8cac1e · a8cac1e
1 parent b138609
commit a8cac1e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/src/detections/configs.rs b/src/detections/configs.rs
@@ -35,6 +35,10 @@ lazy_static! {
         Regex::new(r"^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$").unwrap();
     pub static ref CONTROL_CHAT_REPLACE_MAP: HashMap<char, CompactString> =
         create_control_chat_replace_map();
+    pub static ref ALLFIELDINFO_SPECIAL_CHARS: AhoCorasick = AhoCorasickBuilder::new()
+        .match_kind(MatchKind::LeftmostLongest)
+        .build(["🛂r", "🛂n", "🛂t"])
+        .unwrap();
 }
 
 pub struct ConfigReader {

diff --git a/src/timeline/search.rs b/src/timeline/search.rs
@@ -1,4 +1,4 @@
-use crate::detections::configs::OutputOption;
+use crate::detections::configs::{OutputOption, ALLFIELDINFO_SPECIAL_CHARS};
 use crate::detections::field_data_map::FieldDataMapKey;
 use crate::detections::message;
 use crate::detections::utils::format_time;
@@ -180,14 +180,18 @@ impl EventSearch {
             if search_condition(keywords) {
                 let (timestamp, hostname, channel, eventid, recordid, allfieldinfo) =
                     extract_search_event_info(record, eventkey_alias, output_option);
-
+                let allfieldinfo_newline_splited = ALLFIELDINFO_SPECIAL_CHARS
+                    .replace_all(&allfieldinfo, &["🦅", "🦅", "🦅"])
+                    .split('🦅')
+                    .filter(|x| !x.is_empty())
+                    .join(" ");
                 self.search_result.insert((
                     timestamp,
                     hostname,
                     channel,
                     eventid,
                     recordid,
-                    allfieldinfo,
+                    allfieldinfo_newline_splited.into(),
                     self.filepath.clone(),
                 ));
             }
@@ -222,13 +226,18 @@ impl EventSearch {
             if re.is_match(&record.data_string) {
                 let (timestamp, hostname, channel, eventid, recordid, allfieldinfo) =
                     extract_search_event_info(record, eventkey_alias, output_option);
+                let allfieldinfo_newline_splited = ALLFIELDINFO_SPECIAL_CHARS
+                    .replace_all(&allfieldinfo, &["🦅", "🦅", "🦅"])
+                    .split('🦅')
+                    .filter(|x| !x.is_empty())
+                    .join(" ");
                 self.search_result.insert((
                     timestamp,
                     hostname,
                     channel,
                     eventid,
                     recordid,
-                    allfieldinfo,
+                    allfieldinfo_newline_splited.into(),
                     self.filepath.clone(),
                 ));
             }