fix(yara): Use file name to distinguish alert title

rabbitstack · rabbitstack · commit 2373eccd4496 · 2024-12-04T21:28:31.000+01:00
diff --git a/pkg/yara/config/config.go b/pkg/yara/config/config.go
@@ -165,7 +165,7 @@ func (c Config) ShouldSkipFile(file string) bool {
 // whether the process scan took place or a file/registry
 // key was scanned.
 func (c Config) AlertTitle(e *kevent.Kevent) string {
-	if (e.Category == ktypes.File && e.Kparams.Contains(kparams.FileName)) || e.Category == ktypes.Registry {
+	if (e.Category == ktypes.File && e.GetParamAsString(kparams.FileName) != "") || e.Category == ktypes.Registry {
 		return FileThreatAlertTitle
 	}
 	return MemoryThreatAlertTitle

Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,7 @@ func (c Config) ShouldSkipFile(file string) bool {`
`165`	`165`	`// whether the process scan took place or a file/registry`
`166`	`166`	`// key was scanned.`
`167`	`167`	`func (c Config) AlertTitle(e *kevent.Kevent) string {`
`168`		`- if (e.Category == ktypes.File && e.Kparams.Contains(kparams.FileName)) \|\| e.Category == ktypes.Registry {`
	`168`	`+ if (e.Category == ktypes.File && e.GetParamAsString(kparams.FileName) != "") \|\| e.Category == ktypes.Registry {`
`169`	`169`	`return FileThreatAlertTitle`
`170`	`170`	`}`
`171`	`171`	`return MemoryThreatAlertTitle`