* changed force update to hayabusa-rules #490 * added note when update option is used * readme update * cargo and changelog updates * changed jp translation Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
This commit is contained in:
DustInDark
GitHub
@@ -1,5 +1,14 @@
|
||||
# 変更点
|
||||
|
||||
## v1.2.1 [2022/04/20] Black Hat Asia Arsenal 2022 Preview Release
|
||||
|
||||
**新機能:**
|
||||
- Added a `Channel` column to the output based on the `./config/channel_abbreviations` config file. (@hitenkoku)
|
||||
- Rule and rule config files are now forcefully updated. (@hitenkoku)
|
||||
|
||||
**バグ修正:**
|
||||
- Rules marked as noisy or excluded would not have their `level` changed with `--level-tuning` but now all rules will be checked. (@hitenkoku)
|
||||
|
||||
## v1.2.0 [2022/04/15] Black Hat Asia Arsenal 2022 Preview Release
|
||||
|
||||
**新機能:**
|
||||
|
||||
10
CHANGELOG.md
10
CHANGELOG.md
@@ -1,9 +1,17 @@
|
||||
# Changes
|
||||
|
||||
## v1.2.1 [2022/04/20] Black Hat Asia Arsenal 2022 Preview Release
|
||||
|
||||
**New Features:**
|
||||
- Added a `Channel` column to the output based on the `./config/channel_abbreviations.txt` config file. (@hitenkoku)
|
||||
- Rule and rule config files are now forcefully updated. (@hitenkoku)
|
||||
|
||||
**Bug Fixes:**
|
||||
- Rules marked as noisy or excluded would not have their `level` changed with `--level-tuning` but now all rules will be checked. (@hitenkoku)
|
||||
|
||||
## v1.2.0 [2022/04/15] Black Hat Asia Arsenal 2022 Preview Release
|
||||
|
||||
**New Features:**
|
||||
|
||||
- Specify config directory (`-C / --config`): When specifying a different rules directory, the rules config directory will still be the default `rules/config`, so this option is useful when you want to test rules and their config files in a different directory. (@hitenkoku)
|
||||
- `|equalsfield` aggregator: In order to write rules that compare if two fields are equal or not. (@hach1yon)
|
||||
- Pivot keyword list generator feature (`-p / --pivot-keywords-list`): Will generate a list of keywords to grep for to quickly identify compromised machines, suspicious usernames, files, etc... (@kazuminn)
|
||||
|
||||
40
Cargo.lock
generated
40
Cargo.lock
generated
@@ -80,9 +80,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
|
||||
|
||||
[[package]]
|
||||
name = "backtrace"
|
||||
version = "0.3.64"
|
||||
version = "0.3.65"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5e121dee8023ce33ab248d9ce1493df03c3b38a659b240096fcbd7048ff9c31f"
|
||||
checksum = "11a17d453482a265fd5f8479f2a3f405566e6ca627837aaddb85af8b1ab8ef61"
|
||||
dependencies = [
|
||||
"addr2line",
|
||||
"cc",
|
||||
@@ -684,9 +684,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "flate2"
|
||||
version = "1.0.22"
|
||||
version = "1.0.23"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "1e6988e897c1c9c485f43b47a529cef42fde0547f9d8d41a7062518f1d8fc53f"
|
||||
checksum = "b39522e96686d38f4bc984b9198e3a0613264abaebaff2c5c918bfa6b6da09af"
|
||||
dependencies = [
|
||||
"cfg-if 1.0.0",
|
||||
"crc32fast",
|
||||
@@ -842,7 +842,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "hayabusa"
|
||||
version = "1.2.0"
|
||||
version = "1.2.1"
|
||||
dependencies = [
|
||||
"base64 0.13.0",
|
||||
"chrono",
|
||||
@@ -930,9 +930,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "httparse"
|
||||
version = "1.6.0"
|
||||
version = "1.7.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9100414882e15fb7feccb4897e5f0ff0ff1ca7d1a86a23208ada4d7a18e6c6c4"
|
||||
checksum = "6330e8a36bd8c859f3fa6d9382911fbb7147ec39807f63b923933a247240b9ba"
|
||||
|
||||
[[package]]
|
||||
name = "humantime"
|
||||
@@ -1114,9 +1114,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
|
||||
|
||||
[[package]]
|
||||
name = "libc"
|
||||
version = "0.2.122"
|
||||
version = "0.2.124"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ec647867e2bf0772e28c8bcde4f0d19a9216916e890543b5a03ed8ef27b8f259"
|
||||
checksum = "21a41fed9d98f27ab1c6d161da622a4fa35e8a54a8adc24bbf3ddd0ef70b0e50"
|
||||
|
||||
[[package]]
|
||||
name = "libgit2-sys"
|
||||
@@ -1246,12 +1246,11 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "miniz_oxide"
|
||||
version = "0.4.4"
|
||||
version = "0.5.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b"
|
||||
checksum = "d2b29bd4bc3f33391105ebee3589c19197c4271e3e5a9ec9bfe8127eeff8f082"
|
||||
dependencies = [
|
||||
"adler",
|
||||
"autocfg 1.1.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -1388,9 +1387,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "object"
|
||||
version = "0.27.1"
|
||||
version = "0.28.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "67ac1d3f9a1d3616fd9a60c8d74296f22406a238b6a72f5cc1e6f314df4ffbf9"
|
||||
checksum = "40bec70ba014595f99f7aa110b84331ffe1ee9aece7fe6f387cc7e3ecda4d456"
|
||||
dependencies = [
|
||||
"memchr",
|
||||
]
|
||||
@@ -1698,9 +1697,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "rayon"
|
||||
version = "1.5.1"
|
||||
version = "1.5.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c06aca804d41dbc8ba42dfd964f0d01334eceb64314b9ecf7c5fad5188a06d90"
|
||||
checksum = "fd249e82c21598a9a426a4e00dd7adc1d640b22445ec8545feef801d1a74c221"
|
||||
dependencies = [
|
||||
"autocfg 1.1.0",
|
||||
"crossbeam-deque 0.8.1",
|
||||
@@ -1710,14 +1709,13 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "rayon-core"
|
||||
version = "1.9.1"
|
||||
version = "1.9.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d78120e2c850279833f1dd3582f730c4ab53ed95aeaaaa862a2a5c71b1656d8e"
|
||||
checksum = "9f51245e1e62e1f1629cbfec37b5793bbabcaeb90f30e94d2ba03564687353e4"
|
||||
dependencies = [
|
||||
"crossbeam-channel",
|
||||
"crossbeam-deque 0.8.1",
|
||||
"crossbeam-utils 0.8.8",
|
||||
"lazy_static",
|
||||
"num_cpus",
|
||||
]
|
||||
|
||||
@@ -1822,9 +1820,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "rpmalloc-sys"
|
||||
version = "0.2.2+1.4.1"
|
||||
version = "0.2.3+b097fd0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "370e623bf2ca97dd497b7dd0e2889ec953a46c8c268489a818a5e305633e8609"
|
||||
checksum = "8d4b7d5e225a53887ee57fcec492eaf114b8e290f7072d035adc6ddd6810b67b"
|
||||
dependencies = [
|
||||
"cc",
|
||||
"libc",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "hayabusa"
|
||||
version = "1.2.0"
|
||||
version = "1.2.1"
|
||||
authors = ["Yamato Security @SecurityYamato"]
|
||||
edition = "2021"
|
||||
|
||||
|
||||
@@ -171,6 +171,11 @@ hayabusa.exe -u
|
||||
|
||||
アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。
|
||||
|
||||
>> 注意: アップデートを実行する際に `rules` フォルダは [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) レポジトリの最新のルールとコンフィグファイルに置き換えられます
|
||||
>> 既存ファイルへの修正はすべて上書きされますので、アップデート実行前に編集したファイルのバックアップをおすすめします。
|
||||
>> もし、`--level-tuning` を行っているのであれば、アップデート後にルールファイルの再調整をしてください
|
||||
>> `rules`フォルダ内に新しく追加したルールは、アップデート時に上書きもしくは削除は行われません。
|
||||
|
||||
# ソースコードからのコンパイル(任意)
|
||||
|
||||
Rustがインストールされている場合、以下のコマンドでソースコードからコンパイルすることができます:
|
||||
|
||||
@@ -169,6 +169,11 @@ hayabusa.exe -u
|
||||
|
||||
If the update fails, you may need to rename the `rules` folder and try again.
|
||||
|
||||
>> Caution: When updating, rules and config files in the `rules` folder are replaced with the latest rules and config files in the [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) repository.
|
||||
>> Any changes you make to existing files will be overwritten, so we recommend that you make backups of any files that you edit before updating.
|
||||
>> If you are performing level tuning with `--level-tuning`, please re-tune your rule files after each update.
|
||||
>> If you add new rules inside of the `rules` folder, they will **not** be overwritten or deleted when updating.
|
||||
|
||||
# Compiling From Source (Optional)
|
||||
|
||||
If you have Rust installed, you can compile from source with the following command:
|
||||
|
||||
35
src/main.rs
35
src/main.rs
@@ -654,17 +654,21 @@ impl App {
|
||||
println!(
|
||||
"Attempting to git clone the hayabusa-rules repository into the rules folder."
|
||||
);
|
||||
// レポジトリが開けなかった段階でhayabusa rulesのgit cloneを実施する
|
||||
// execution git clone of hayabusa-rules repository when failed open hayabusa repository.
|
||||
result = self.clone_rules();
|
||||
} else if hayabusa_rule_repo.is_ok() {
|
||||
// rulesのrepositoryが確認できる場合
|
||||
// origin/mainのfetchができなくなるケースはネットワークなどのケースが考えられるため、git cloneは実施しない
|
||||
// case of exist hayabusa-rules repository
|
||||
self._repo_main_reset_hard(hayabusa_rule_repo.as_ref().unwrap())?;
|
||||
// case of failed fetching origin/main, git clone is not executed so network error has occurred possibly.
|
||||
prev_modified_rules = self.get_updated_rules("rules", &prev_modified_time);
|
||||
prev_modified_time = fs::metadata("rules").unwrap().modified().unwrap();
|
||||
result = self.pull_repository(hayabusa_rule_repo.unwrap());
|
||||
result = self.pull_repository(&hayabusa_rule_repo.unwrap());
|
||||
} else {
|
||||
// hayabusa-rulesのrepositoryがrulesに存在しない場合
|
||||
// hayabusa repositoryがあればsubmodule情報もあると思われるのでupdate
|
||||
// case of no exist hayabusa-rules repository in rules.
|
||||
// execute update because submodule information exists if hayabusa repository exists submodule information.
|
||||
|
||||
self._repo_main_reset_hard(hayabusa_rule_repo.as_ref().unwrap())?;
|
||||
|
||||
prev_modified_time = fs::metadata("rules").unwrap().modified().unwrap();
|
||||
let rules_path = Path::new("rules");
|
||||
if !rules_path.exists() {
|
||||
@@ -673,12 +677,12 @@ impl App {
|
||||
let hayabusa_repo = hayabusa_repo.unwrap();
|
||||
let submodules = hayabusa_repo.submodules()?;
|
||||
let mut is_success_submodule_update = true;
|
||||
// submoduleのname参照だと参照先を変えることで意図しないフォルダを削除する可能性があるためハードコーディングする
|
||||
// submodule rules erase path is hard coding to avoid unintentional remove folder.
|
||||
fs::remove_dir_all(".git/.submodule/rules").ok();
|
||||
for mut submodule in submodules {
|
||||
submodule.update(true, None)?;
|
||||
let submodule_repo = submodule.open()?;
|
||||
if let Err(e) = self.pull_repository(submodule_repo) {
|
||||
if let Err(e) = self.pull_repository(&submodule_repo) {
|
||||
AlertMessage::alert(
|
||||
&mut BufWriter::new(std::io::stderr().lock()),
|
||||
&format!("Failed submodule update. {}", e),
|
||||
@@ -701,8 +705,21 @@ impl App {
|
||||
result
|
||||
}
|
||||
|
||||
/// hard reset in main branch
|
||||
fn _repo_main_reset_hard(&self, input_repo: &Repository) -> Result<(), git2::Error> {
|
||||
let branch = input_repo
|
||||
.find_branch("main", git2::BranchType::Local)
|
||||
.unwrap();
|
||||
let local_head = branch.get().target().unwrap();
|
||||
let object = input_repo.find_object(local_head, None).unwrap();
|
||||
match input_repo.reset(&object, git2::ResetType::Hard, None) {
|
||||
Ok(()) => Ok(()),
|
||||
_ => Err(git2::Error::from_str("Failed reset main branch in rules")),
|
||||
}
|
||||
}
|
||||
|
||||
/// Pull(fetch and fast-forward merge) repositoryto input_repo.
|
||||
fn pull_repository(&self, input_repo: Repository) -> Result<String, git2::Error> {
|
||||
fn pull_repository(&self, input_repo: &Repository) -> Result<String, git2::Error> {
|
||||
match input_repo
|
||||
.find_remote("origin")?
|
||||
.fetch(&["main"], None, None)
|
||||
|
||||
Reference in New Issue
Block a user