From f7e7747deeb7654b940b27224feffd9cc1749da9 Mon Sep 17 00:00:00 2001
From: thomashaw <thomashaw@gmail.com>
Date: Sun, 10 Jul 2022 16:59:58 +0100
Subject: [PATCH] simplified rule for testing / benchmarking

---
 lib/helpers/rules.rb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/helpers/rules.rb b/lib/helpers/rules.rb
index 183779bc3..c32e67596 100644
--- a/lib/helpers/rules.rb
+++ b/lib/helpers/rules.rb
@@ -69,11 +69,10 @@ class Rules
         "filter:\n" +
         "  - query:\n" +
         "      query_string:\n" +
-        '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file AND (process.executable: \"/bin/cat\" OR process.executable: \"/usr/bin/vim.basic\" OR process.executable: \"/bin/less\" OR process.executable: \"/bin/more\" OR process.executable: \"/bin/nano\" OR process.executable: \"/usr/bin/kate\")"' + "\n" +
-        # Different OR clause in EA
-        #
+        # TODO: Test the timing of this simpler rule
+        '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file AND process.executable: \"/bin/cat\")"' + "\n" +
         # TODO: WIP - improve this rule!
-        #
+        # The rule with KATE etc in, takes 30 sec ish to run! '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file AND (process.executable: \"/bin/cat\" OR process.executable: \"/usr/bin/vim.basic\" OR process.executable: \"/bin/less\" OR process.executable: \"/bin/more\" OR process.executable: \"/bin/nano\" OR process.executable: \"/usr/bin/kate\")"' + "\n" +
         #
         # '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file"' + "\n" +
         #