From 8339ce2f310875542fac9bf1c5d4b48c39eccc23 Mon Sep 17 00:00:00 2001
From: syncpark <dkpark@cluml.com>
Date: Mon, 21 Oct 2024 11:06:59 +0900
Subject: [PATCH] Renamed EventCategory::Unknown to Unspecified

---
 CHANGELOG.md     |  1 +
 src/event.rs     | 13 ++++++++-----
 src/migration.rs |  2 +-
 src/types.rs     |  2 +-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2d84002f..679ad681 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 ### Changed
 
 - `FromKeyValue` is sealed.
+- Renamed `EventCategory::Unknown` to `Unspecified`.
 
 ### Removed
 
diff --git a/src/event.rs b/src/event.rs
index 7d81c4b2..61e3ef5a 100644
--- a/src/event.rs
+++ b/src/event.rs
@@ -4817,7 +4817,7 @@ mod tests {
             issuer_org_name: "org".to_string(),
             issuer_org_unit_name: "unit".to_string(),
             issuer_common_name: "common".to_string(),
-            category: EventCategory::Unknown,
+            category: EventCategory::Unspecified,
             last_alert: 1,
         }
     }
@@ -4836,7 +4836,7 @@ mod tests {
         let syslog_message = message.to_string();
         assert_eq!(
             &syslog_message,
-            r#"time="1970-01-01T01:01:01+00:00" event_kind="SuspiciousTlsTraffic" category="Unknown" source="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="443" proto="6" last_time="100" server_name="server" alpn_protocol="alpn" ja3="ja3" version="version" client_cipher_suites="1,2,3" client_extensions="4,5,6" cipher="1" extensions="7,8,9" ja3s="ja3s" serial="serial" subject_country="country" subject_org_name="org" subject_common_name="common" validity_not_before="100" validity_not_after="200" subject_alt_name="alt" issuer_country="country" issuer_org_name="org" issuer_org_unit_name="unit" issuer_common_name="common" last_alert="1""#
+            r#"time="1970-01-01T01:01:01+00:00" event_kind="SuspiciousTlsTraffic" category="Unspecified" source="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="443" proto="6" last_time="100" server_name="server" alpn_protocol="alpn" ja3="ja3" version="version" client_cipher_suites="1,2,3" client_extensions="4,5,6" cipher="1" extensions="7,8,9" ja3s="ja3s" serial="serial" subject_country="country" subject_org_name="org" subject_common_name="common" validity_not_before="100" validity_not_after="200" subject_alt_name="alt" issuer_country="country" issuer_org_name="org" issuer_org_unit_name="unit" issuer_common_name="common" last_alert="1""#
         );
 
         let suspicious_tls_traffic =
@@ -4849,7 +4849,10 @@ mod tests {
             suspicious_tls_traffic.dst_addr(),
             IpAddr::V4(Ipv4Addr::new(127, 0, 0, 2))
         );
-        assert_eq!(suspicious_tls_traffic.category(), EventCategory::Unknown);
+        assert_eq!(
+            suspicious_tls_traffic.category(),
+            EventCategory::Unspecified
+        );
         assert_eq!(suspicious_tls_traffic.src_port(), 10000);
         assert_eq!(suspicious_tls_traffic.dst_port(), 443);
         assert_eq!(suspicious_tls_traffic.proto(), 6);
@@ -4858,7 +4861,7 @@ mod tests {
 
         assert_eq!(
             &block_list_tls,
-            r#"time="1970-01-01T01:01:01+00:00" event_kind="SuspiciousTlsTraffic" category="Unknown" source="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="443" proto="6" last_time="100" server_name="server" alpn_protocol="alpn" ja3="ja3" version="version" client_cipher_suites="1,2,3" client_extensions="4,5,6" cipher="1" extensions="7,8,9" ja3s="ja3s" serial="serial" subject_country="country" subject_org_name="org" subject_common_name="common" validity_not_before="100" validity_not_after="200" subject_alt_name="alt" issuer_country="country" issuer_org_name="org" issuer_org_unit_name="unit" issuer_common_name="common" last_alert="1" triage_scores="""#
+            r#"time="1970-01-01T01:01:01+00:00" event_kind="SuspiciousTlsTraffic" category="Unspecified" source="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="443" proto="6" last_time="100" server_name="server" alpn_protocol="alpn" ja3="ja3" version="version" client_cipher_suites="1,2,3" client_extensions="4,5,6" cipher="1" extensions="7,8,9" ja3s="ja3s" serial="serial" subject_country="country" subject_org_name="org" subject_common_name="common" validity_not_before="100" validity_not_after="200" subject_alt_name="alt" issuer_country="country" issuer_org_name="org" issuer_org_unit_name="unit" issuer_common_name="common" last_alert="1" triage_scores="""#
         );
     }
 
@@ -4918,7 +4921,7 @@ mod tests {
 
         let mut counter = HashMap::new();
         event.count_category(&mut counter, None, &filter).unwrap();
-        assert_eq!(counter.get(&EventCategory::Unknown), Some(&1));
+        assert_eq!(counter.get(&EventCategory::Unspecified), Some(&1));
 
         let mut counter = HashMap::new();
         event
diff --git a/src/migration.rs b/src/migration.rs
index 26b8b8fe..87fedd50 100644
--- a/src/migration.rs
+++ b/src/migration.rs
@@ -278,7 +278,7 @@ fn migrate_0_30_tidb(store: &super::Store) -> Result<()> {
             "HttpUriThreat" => EventCategory::Reconnaissance,
             "ProcessCreate" => EventCategory::Impact,
             "spamhaus drop ip" => EventCategory::InitialAccess,
-            _ => EventCategory::Unknown,
+            _ => EventCategory::Unspecified,
         };
         let new_tidb = Tidb::try_from((old_tidb, category))?;
 
diff --git a/src/types.rs b/src/types.rs
index 6079921d..30a7de08 100644
--- a/src/types.rs
+++ b/src/types.rs
@@ -76,7 +76,7 @@ pub struct PretrainedModel(pub Vec<u8>);
 )]
 #[repr(u8)]
 pub enum EventCategory {
-    Unknown = 0,
+    Unspecified = 0,
     Reconnaissance = 1,
     InitialAccess,
     Execution,