CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

chg: update security_rules.json

Browse Source
This commit is contained in:
fukusuket
2025-04-14 08:42:31 +09:00
parent 438af15776
commit 10bbac2097
2 changed files with 26199 additions and 23386 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49577
config/security_rules.json
View File

File diff suppressed because it is too large Load Diff

8
wela-extractor/src/main.rs
View File

@@ -11,6 +11,7 @@ use yaml_rust2::{Yaml, YamlLoader};
enum Channel {
Security,
PowerShell,
Other(String),
}
impl Display for Channel {
@@ -18,6 +19,7 @@ impl Display for Channel {
match self {
Channel::Security => write!(f, "sec"),
Channel::PowerShell => write!(f, "pwsh"),
Channel::Other(name) => write!(f, "{}", name),
}
}
}
@@ -80,7 +82,7 @@ fn contains_builtin_channel(yaml: &Yaml) -> Option<Channel> {
Some("Microsoft-Windows-PowerShell/Operational")
| Some("PowerShellCore/Operational")
| Some("Windows PowerShell") => Some(Channel::PowerShell),
_ => None,
val => Some(Channel::Other(val?.to_string())),
}
}
@@ -117,6 +119,10 @@ fn contains_builtin_channel(yaml: &Yaml) -> Option<Channel> {
}
fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
let sysmon_tag = doc["tags"].as_vec().map_or(false, |tags| tags.iter().any(|tag| tag.as_str() == Some("sysmon")));
if sysmon_tag {
return None;
}
if let Some(ch) = contains_builtin_channel(&doc["detection"]) {
let uuid = doc["id"].as_str().unwrap_or("");
let title = doc["title"].as_str().unwrap_or("");