From 00293d9753b8ec491c236b677d693efe437ab183 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 24 Jul 2022 19:35:29 +0900 Subject: [PATCH] Changed channel abbreviation timing when messge is inserted --- src/afterfact.rs | 49 ++++++++++++++++++------------------- src/detections/detection.rs | 6 +++-- src/detections/message.rs | 8 ++++++ 3 files changed, 36 insertions(+), 27 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 57142ec7..6af13ced 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -185,20 +185,13 @@ fn emit_csv( HashMap::new(); let levels = Vec::from([ - "critical", + "crit", "high", - "medium", - "low", - "informational", + "med ", + "low ", + "info", "undefined", ]); - let level_abbr: HashMap = HashMap::from([ - (String::from("cruitical"), String::from("crit")), - (String::from("high"), String::from("high")), - (String::from("medium"), String::from("med ")), - (String::from("low"), String::from("low ")), - (String::from("informational"), String::from("info")), - ]); // レベル別、日ごとの集計用変数の初期化 for level_init in levels { detect_counts_by_date_and_level.insert(level_init.to_string(), HashMap::new()); @@ -484,7 +477,14 @@ fn _print_detection_summary_by_date( let mut wtr = buf_wtr.buffer(); wtr.set_color(ColorSpec::new().set_fg(None)).ok(); - let output_levels = Vec::from(["critical", "high", "medium", "low", "informational"]); + let output_levels = Vec::from(["crit", "high", "med ", "low ", "info"]); + let level_full_map = HashMap::from([ + ("crit", "critical"), + ("high", "high"), + ("med ", "medium"), + ("low ", "low"), + ("info", "informational"), + ]); for level in output_levels { // output_levelsはlevelsからundefinedを除外した配列であり、各要素は必ず初期化されているのでSomeであることが保証されているのでunwrapをそのまま実施 @@ -499,7 +499,7 @@ fn _print_detection_summary_by_date( tmp_cnt = *cnt; } } - wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level))) + wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level_full_map.get(level).unwrap()))) .ok(); if date_str == String::default() { max_detect_str = "n/a".to_string(); @@ -507,7 +507,7 @@ fn _print_detection_summary_by_date( writeln!( wtr, "Date with most total {} detections: {}", - level, &max_detect_str + level_full_map.get(level).unwrap(), &max_detect_str ) .ok(); } @@ -523,7 +523,14 @@ fn _print_detection_summary_by_computer( let mut wtr = buf_wtr.buffer(); wtr.set_color(ColorSpec::new().set_fg(None)).ok(); - let output_levels = Vec::from(["critical", "high", "medium", "low", "informational"]); + let output_levels = Vec::from(["crit", "high", "med ", "low ", "info"]); + let level_full_map = HashMap::from([ + ("crit", "critical"), + ("high", "high"), + ("med ", "medium"), + ("low ", "low"), + ("info", "informational"), + ]); for level in output_levels { // output_levelsはlevelsからundefinedを除外した配列であり、各要素は必ず初期化されているのでSomeであることが保証されているのでunwrapをそのまま実施 @@ -546,26 +553,18 @@ fn _print_detection_summary_by_computer( result_vec.join(", ") }; - wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level))) + wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level_full_map.get(level).unwrap()))) .ok(); writeln!( wtr, "Top 5 computers with most unique {} detections: {}", - level, &result_str + level_full_map.get(level).unwrap(), &result_str ) .ok(); } buf_wtr.print(&wtr).ok(); } -fn format_time(time: &DateTime, date_only: bool) -> String { - if configs::CONFIG.read().unwrap().args.utc { - format_rfc(time, date_only) - } else { - format_rfc(&time.with_timezone(&Local), date_only) - } -} - /// get timestamp to input datetime. fn _get_timestamp(time: &DateTime) -> i64 { if configs::CONFIG.read().unwrap().args.utc { diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 3e74a170..daf431e9 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -31,6 +31,7 @@ use std::sync::Arc; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; use super::message; +use super::message::LEVEL_ABBR; // イベントファイルの1レコード分の情報を保持する構造体 #[derive(Clone, Debug)] @@ -256,15 +257,16 @@ impl Detection { Some(str) => str.to_owned(), None => recinfo.as_ref().unwrap_or(&"-".to_string()).to_string(), }; - let opt_record_info = if configs::CONFIG.read().unwrap().args.full_data { + let opt_record_info = if profile_all_alias.contains("%RecordInformation%") { recinfo } else { None }; + let level= rule.yaml["level"].as_str().unwrap_or("-").to_string(); let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), rulepath: (&rule.rulepath).to_owned(), - level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), + level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() .replace('\"', ""), diff --git a/src/detections/message.rs b/src/detections/message.rs index 0858ab09..fd041e20 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -83,6 +83,14 @@ lazy_static! { .as_path() .display() )); + pub static ref LEVEL_ABBR: HashMap = HashMap::from([ + (String::from("cruitical"), String::from("crit")), + (String::from("high"), String::from("high")), + (String::from("medium"), String::from("med ")), + (String::from("low"), String::from("low ")), + (String::from("informational"), String::from("info")), + ]); + } /// ファイルパスで記載されたtagでのフル名、表示の際に置き換えられる文字列のHashMapを作成する関数。