From 03be1dad34e885168ad57a1af03f642c0ae4c153 Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 11:14:39 +0900 Subject: [PATCH] cargo fmt --all --- src/detections/security.rs | 192 +++++++++++++++++++++++++------------ src/lib.rs | 2 +- src/main.rs | 1 - src/models/mod.rs | 2 +- src/models/rule.rs | 1 - src/toml.rs | 13 +-- 6 files changed, 136 insertions(+), 75 deletions(-) diff --git a/src/detections/security.rs b/src/detections/security.rs index 97a30ce5..7818e7c2 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -261,7 +261,10 @@ impl Security { } msges.push("Sensititive Privilege Use Exceeds Threshold".to_string()); - msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string()); + msges.push( + "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made" + .to_string(), + ); let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str); msges.push(format!("Username: {}", username)); @@ -335,7 +338,9 @@ impl Security { // let v_username = Vec::new(); let mut v_username = Vec::new(); - self.passspray_2_user.keys().for_each(|u| v_username.push(u)); + self.passspray_2_user + .keys() + .for_each(|u| v_username.push(u)); v_username.sort(); let usernames: String = v_username.iter().fold( self.empty_str.to_string(), @@ -665,7 +670,8 @@ mod tests { // eventidが異なりヒットしないパターン #[test] fn test_add_member_security_group_noteq_eventid() { - let xml_str = get_add_member_security_group_xml().replace(r"4732", r"4757"); + let xml_str = get_add_member_security_group_xml() + .replace(r"4732", r"4757"); let event: event::Evtx = quick_xml::de::from_str(&xml_str) .map_err(|e| { println!("{}", e.to_string()); @@ -683,7 +689,10 @@ mod tests { // グループがAdministratorsじゃなくてHitしないパターン #[test] fn test_add_member_security_not_administrators() { - let xml_str = get_add_member_security_group_xml().replace(r"Administrators", r"local"); + let xml_str = get_add_member_security_group_xml().replace( + r"Administrators", + r"local", + ); let event: event::Evtx = quick_xml::de::from_str(&xml_str) .map_err(|e| { println!("{}", e.to_string()); @@ -746,10 +755,7 @@ mod tests { &"Username: ".to_string(), ite.next().unwrap_or(&"".to_string()) ); - assert_eq!( - &"User SID: ", - ite.next().unwrap_or(&"".to_string()) - ); + assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string())); assert_eq!(Option::None, ite.next()); } @@ -795,10 +801,10 @@ mod tests { let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); - + sec.max_failed_logons = 5; - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|i| { sec.failed_logon( &event.system.event_id.to_string(), &event.parse_event_data(), @@ -813,9 +819,13 @@ mod tests { fn test_failed_logon_hit() { let xml_str = get_failed_logon_xml(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"Administrator", r"localuser")).unwrap(); + let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"Administrator", + r"localuser", + )) + .unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_failed_logons = 5; // メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目 @@ -825,13 +835,13 @@ mod tests { ); assert_eq!(1, sec.total_failed_logons); - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|i| { sec.failed_logon( &event_another.system.event_id.to_string(), &event_another.parse_event_data(), ); - let fail_cnt = i +1; + let fail_cnt = i + 1; assert_eq!(fail_cnt, sec.total_failed_logons); if fail_cnt > 5 { let v = sec.disp_login_failed().unwrap(); @@ -848,7 +858,7 @@ mod tests { &format!("Total logon failures: {}", fail_cnt), ite.next().unwrap_or(&"".to_string()) ); - // assert_eq!(Option::None, ite.next()); + // assert_eq!(Option::None, ite.next()); } else { assert_eq!(Option::None, sec.disp_login_failed()); } @@ -870,14 +880,25 @@ mod tests { ); } - // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。 - #[test] - fn test_failed_logon_noteq_eventid() { + // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。 + #[test] + fn test_failed_logon_noteq_eventid() { let xml_str = get_failed_logon_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626")).unwrap(); - let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626").replace(r"Administrator", r"localuser")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str( + &xml_str.replace(r"4625", r"4626"), + ) + .unwrap(); + let event_another: event::Evtx = quick_xml::de::from_str( + &xml_str + .replace(r"4625", r"4626") + .replace( + r"Administrator", + r"localuser", + ), + ) + .unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_failed_logons = 5; // メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目 @@ -887,16 +908,16 @@ mod tests { ); assert_eq!(0, sec.total_failed_logons); - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|_i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|_i| { sec.failed_logon( &event_another.system.event_id.to_string(), &event_another.parse_event_data(), ); assert_eq!(0, sec.total_failed_logons); assert_eq!(Option::None, sec.disp_login_failed()); - }); - } + }); + } fn get_failed_logon_xml() -> String { return r#" @@ -940,7 +961,8 @@ mod tests { 192.168.198.149 33083 - "#.to_string(); + "# + .to_string(); } // Hitするパターンとしないパターンをまとめてテスト @@ -949,10 +971,10 @@ mod tests { let xml_str = get_sensitive_prividedge_hit(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_total_sensitive_privuse = 6; - let ite = [1,2,3,4,5,6,7].iter(); + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); ite.for_each(|i| { let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); // i == 7ときにHitしない @@ -984,15 +1006,19 @@ mod tests { // eventidが異なるので、Hitしないテスト #[test] fn test_sensitive_priviledge_noteq_eventid() { - let xml_str = get_sensitive_prividedge_hit().replace(r"4673", r"4674"); + let xml_str = get_sensitive_prividedge_hit() + .replace(r"4673", r"4674"); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_total_sensitive_privuse = 6; - let ite = [1,2,3,4,5,6,7].iter(); + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); ite.for_each(|_i| { - let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); + let msg = sec.sensitive_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); assert_eq!(Option::None, msg); }); } @@ -1037,16 +1063,31 @@ mod tests { let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_ne!(Option::None, msg); let v = msg.unwrap(); let mut ite = v.iter(); - assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"Possible Hidden Service Attempt".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"User: Sec504".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"Target service: nginx".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"WRITE_DAC".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(Option::None, ite.next()); } @@ -1054,11 +1095,18 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_accessmask() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"%%1539",r"%%1538")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"%%1539", + r"%%1538", + )) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1066,11 +1114,18 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_service() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"C:\Windows\System32\services.exe",r"C:\Windows\System32\lsass.exe")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"C:\Windows\System32\services.exe", + r"C:\Windows\System32\lsass.exe", + )) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1078,11 +1133,17 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_eventid() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4674",r"4675")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str( + &xml_str.replace(r"4674", r"4675"), + ) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1130,12 +1191,11 @@ mod tests { sec.max_passspray_login = 6; sec.max_passspray_uniquser = 6; - test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); + test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true); // counterがreset確認のため、2回実行 - test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); + test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true); } - // eventid異なるので、Hitしないはず #[test] fn test_pass_spray_noteq_eventid() { @@ -1144,12 +1204,12 @@ mod tests { sec.max_passspray_login = 6; sec.max_passspray_uniquser = 6; - test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); + test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false); // counterがreset確認のため、2回実行 - test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); + test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false); } - fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) { + fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) { [1,2,3,4,5,6,7].iter().for_each(|i| { let rep_str = format!(r#"smisenar{}"#,i); let event_id_tag = format!("{}", event_id); @@ -1173,7 +1233,7 @@ mod tests { }); }); } - + fn get_passs_pray_hit() -> String { return r#" @@ -1224,22 +1284,32 @@ mod tests { assert_ne!(Option::None, msg); let v = msg.unwrap(); let mut ite = v.iter(); - assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"Audit Log Clear".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"The Audit log was cleared".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"Security ID: jwrig".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(Option::None, ite.next()); } // eventid違うのでHitしないはず #[test] fn test_audit_log_cleared_noteq_eventid() { - let xml_str = get_audit_log_cleared_xml().replace(r"1102", r"1103"); + let xml_str = get_audit_log_cleared_xml() + .replace(r"1102", r"1103"); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); let msg = sec.audit_log_cleared(&event.system.event_id.to_string(), &event.user_data); assert_eq!(Option::None, msg); - } + } fn get_audit_log_cleared_xml() -> String { return r#" diff --git a/src/lib.rs b/src/lib.rs index 3c230589..72434c62 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,3 +1,3 @@ pub mod detections; pub mod models; -pub mod toml; \ No newline at end of file +pub mod toml; diff --git a/src/main.rs b/src/main.rs index 6aa1b3fd..96239b23 100644 --- a/src/main.rs +++ b/src/main.rs @@ -59,4 +59,3 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } - diff --git a/src/models/mod.rs b/src/models/mod.rs index e8d63f0a..ee089cbc 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1,2 +1,2 @@ pub mod event; -pub mod rule; \ No newline at end of file +pub mod rule; diff --git a/src/models/rule.rs b/src/models/rule.rs index bff8bdc1..550bdc65 100644 --- a/src/models/rule.rs +++ b/src/models/rule.rs @@ -10,5 +10,4 @@ pub struct Rule { #[derive(Debug, Deserialize)] pub struct Toml { pub rule: Rule, - } diff --git a/src/toml.rs b/src/toml.rs index b7131b35..04211623 100644 --- a/src/toml.rs +++ b/src/toml.rs @@ -1,23 +1,19 @@ extern crate serde_derive; extern crate toml; +use crate::models::rule; use std::fs; use std::io; use std::io::{BufReader, Read}; use std::path::{Path, PathBuf}; -use crate::models::rule; - pub struct ParseToml { pub rules: Vec>, } impl ParseToml { - pub fn new() -> ParseToml { - ParseToml { - rules: Vec::new(), - } + ParseToml { rules: Vec::new() } } fn read_file(&self, path: PathBuf) -> Result { @@ -47,7 +43,6 @@ impl ParseToml { }) .collect()) } - } #[cfg(test)] @@ -67,11 +62,9 @@ mod tests { if let Some(severity) = _rule.rule.severity { assert_eq!("high", severity); } - }, + } Err(_) => (), } } - } } -