From 6fc709c2b417af35bc872e55611d41068ae2e57c Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 09:59:08 +0900 Subject: [PATCH 1/4] =?UTF-8?q?Toml=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF?= =?UTF-8?q?=E6=A9=9F=E8=83=BD=E5=AE=9F=E8=A3=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Cargo.lock | 11 +++++++ Cargo.toml | 4 ++- rules/test.toml | 2 ++ src/lib.rs | 1 + src/main.rs | 2 ++ src/models/mod.rs | 1 + src/models/rule.rs | 14 +++++++++ src/toml.rs | 76 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 rules/test.toml create mode 100644 src/models/rule.rs create mode 100644 src/toml.rs diff --git a/Cargo.lock b/Cargo.lock index 6b63ca2e..ab932e6f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1071,6 +1071,15 @@ dependencies = [ "winapi", ] +[[package]] +name = "toml" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a" +dependencies = [ + "serde", +] + [[package]] name = "unicode-width" version = "0.1.8" @@ -1185,5 +1194,7 @@ dependencies = [ "quick-xml 0.17.2", "regex", "serde", + "serde_derive", "serde_json", + "toml", ] diff --git a/Cargo.toml b/Cargo.toml index 863e7911..b28772bf 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,8 +11,10 @@ evtx = { git = "https://github.com/omerbenamram/evtx.git" } quick-xml = {version = "0.17", features = ["serialize"] } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0"} +serde_derive = "1.0" clap = "*" regex = "1" csv = "1.1" base64 = "*" -flate2 = "1.0" \ No newline at end of file +flate2 = "1.0" +toml = "0.5" diff --git a/rules/test.toml b/rules/test.toml new file mode 100644 index 00000000..08260f64 --- /dev/null +++ b/rules/test.toml @@ -0,0 +1,2 @@ +[rule] +severity = "high" diff --git a/src/lib.rs b/src/lib.rs index 2579ad53..3c230589 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,2 +1,3 @@ pub mod detections; pub mod models; +pub mod toml; \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index e099bf0a..6aa1b3fd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,6 +6,7 @@ use evtx::EvtxParser; use quick_xml::de::DeError; use std::{path::PathBuf, process}; use yamato_event_analyzer::detections::detection; +use yamato_event_analyzer::toml; fn build_app() -> clap::App<'static, 'static> { let program = std::env::args() @@ -58,3 +59,4 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } + diff --git a/src/models/mod.rs b/src/models/mod.rs index 53f11265..e8d63f0a 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1 +1,2 @@ pub mod event; +pub mod rule; \ No newline at end of file diff --git a/src/models/rule.rs b/src/models/rule.rs new file mode 100644 index 00000000..6efd403c --- /dev/null +++ b/src/models/rule.rs @@ -0,0 +1,14 @@ +extern crate serde; +use serde::Deserialize; + +#[derive(Debug, Deserialize)] +pub struct Rule { + pub severity: Option, + +} + +#[derive(Debug, Deserialize)] +pub struct Toml { + pub rule: Rule, + +} diff --git a/src/toml.rs b/src/toml.rs new file mode 100644 index 00000000..484e3abd --- /dev/null +++ b/src/toml.rs @@ -0,0 +1,76 @@ +extern crate serde_derive; +extern crate toml; + +use std::fs; +use std::io; +use std::io::{BufReader, Read}; +use std::path::{Path, PathBuf}; +use crate::models::rule; + + +pub struct ParseToml { + pub rules: Vec>, +} + +impl ParseToml { + + pub fn new() -> ParseToml { + ParseToml { + rules: Vec::new(), + } + } + + fn read_file(&self, path: PathBuf) -> Result { + let mut file_content = String::new(); + + let mut fr = fs::File::open(path) + .map(|f| BufReader::new(f)) + .map_err(|e| e.to_string())?; + + fr.read_to_string(&mut file_content) + .map_err(|e| e.to_string())?; + + Ok(file_content) + } + + fn read_dir>(&mut self, path: P) -> io::Result { + Ok(fs::read_dir(path)? + .filter_map(|entry| { + let entry = entry.ok()?; + if entry.file_type().ok()?.is_file() { + match self.read_file(entry.path()) { + Ok(s) => &self.rules.push(toml::from_str(&s)), + Err(e) => panic!("fail to read file: {}", e), + }; + } + Some("") + }) + .collect()) + } + +} + +#[cfg(test)] +mod tests { + + use crate::toml; + + #[test] + fn test_read_toml() { + let mut toml = toml::ParseToml::new(); + &toml.read_dir("rules".to_string()); + + for rule in toml.rules { + match rule { + Ok(_rule) => { + if let Some(severity) = _rule.rule.severity { + assert_eq!("high", severity); + } + }, + Err(_) => (), + } + } + + } +} + From f2f3a7e99a2a32506d70567c2d3884caee5f6e5c Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 09:59:08 +0900 Subject: [PATCH 2/4] =?UTF-8?q?Toml=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF?= =?UTF-8?q?=E6=A9=9F=E8=83=BD=E5=AE=9F=E8=A3=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Cargo.lock | 11 +++++++ Cargo.toml | 4 ++- rules/test.toml | 2 ++ src/lib.rs | 1 + src/main.rs | 2 ++ src/models/mod.rs | 1 + src/models/rule.rs | 14 +++++++++ src/toml.rs | 76 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 rules/test.toml create mode 100644 src/models/rule.rs create mode 100644 src/toml.rs diff --git a/Cargo.lock b/Cargo.lock index 6b63ca2e..ab932e6f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1071,6 +1071,15 @@ dependencies = [ "winapi", ] +[[package]] +name = "toml" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a" +dependencies = [ + "serde", +] + [[package]] name = "unicode-width" version = "0.1.8" @@ -1185,5 +1194,7 @@ dependencies = [ "quick-xml 0.17.2", "regex", "serde", + "serde_derive", "serde_json", + "toml", ] diff --git a/Cargo.toml b/Cargo.toml index 863e7911..b28772bf 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,8 +11,10 @@ evtx = { git = "https://github.com/omerbenamram/evtx.git" } quick-xml = {version = "0.17", features = ["serialize"] } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0"} +serde_derive = "1.0" clap = "*" regex = "1" csv = "1.1" base64 = "*" -flate2 = "1.0" \ No newline at end of file +flate2 = "1.0" +toml = "0.5" diff --git a/rules/test.toml b/rules/test.toml new file mode 100644 index 00000000..08260f64 --- /dev/null +++ b/rules/test.toml @@ -0,0 +1,2 @@ +[rule] +severity = "high" diff --git a/src/lib.rs b/src/lib.rs index 2579ad53..3c230589 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,2 +1,3 @@ pub mod detections; pub mod models; +pub mod toml; \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index e099bf0a..6aa1b3fd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,6 +6,7 @@ use evtx::EvtxParser; use quick_xml::de::DeError; use std::{path::PathBuf, process}; use yamato_event_analyzer::detections::detection; +use yamato_event_analyzer::toml; fn build_app() -> clap::App<'static, 'static> { let program = std::env::args() @@ -58,3 +59,4 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } + diff --git a/src/models/mod.rs b/src/models/mod.rs index 53f11265..e8d63f0a 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1 +1,2 @@ pub mod event; +pub mod rule; \ No newline at end of file diff --git a/src/models/rule.rs b/src/models/rule.rs new file mode 100644 index 00000000..6efd403c --- /dev/null +++ b/src/models/rule.rs @@ -0,0 +1,14 @@ +extern crate serde; +use serde::Deserialize; + +#[derive(Debug, Deserialize)] +pub struct Rule { + pub severity: Option, + +} + +#[derive(Debug, Deserialize)] +pub struct Toml { + pub rule: Rule, + +} diff --git a/src/toml.rs b/src/toml.rs new file mode 100644 index 00000000..484e3abd --- /dev/null +++ b/src/toml.rs @@ -0,0 +1,76 @@ +extern crate serde_derive; +extern crate toml; + +use std::fs; +use std::io; +use std::io::{BufReader, Read}; +use std::path::{Path, PathBuf}; +use crate::models::rule; + + +pub struct ParseToml { + pub rules: Vec>, +} + +impl ParseToml { + + pub fn new() -> ParseToml { + ParseToml { + rules: Vec::new(), + } + } + + fn read_file(&self, path: PathBuf) -> Result { + let mut file_content = String::new(); + + let mut fr = fs::File::open(path) + .map(|f| BufReader::new(f)) + .map_err(|e| e.to_string())?; + + fr.read_to_string(&mut file_content) + .map_err(|e| e.to_string())?; + + Ok(file_content) + } + + fn read_dir>(&mut self, path: P) -> io::Result { + Ok(fs::read_dir(path)? + .filter_map(|entry| { + let entry = entry.ok()?; + if entry.file_type().ok()?.is_file() { + match self.read_file(entry.path()) { + Ok(s) => &self.rules.push(toml::from_str(&s)), + Err(e) => panic!("fail to read file: {}", e), + }; + } + Some("") + }) + .collect()) + } + +} + +#[cfg(test)] +mod tests { + + use crate::toml; + + #[test] + fn test_read_toml() { + let mut toml = toml::ParseToml::new(); + &toml.read_dir("rules".to_string()); + + for rule in toml.rules { + match rule { + Ok(_rule) => { + if let Some(severity) = _rule.rule.severity { + assert_eq!("high", severity); + } + }, + Err(_) => (), + } + } + + } +} + From a8536d78a0bfd83a3b063a220011f070aa255a81 Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 11:12:32 +0900 Subject: [PATCH 3/4] =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=83=95?= =?UTF-8?q?=E3=82=A1=E3=82=A4=E3=83=AB=E3=83=87=E3=82=A3=E3=83=AC=E3=82=AF?= =?UTF-8?q?=E3=83=88=E3=83=AA=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/models/rule.rs | 2 +- src/toml.rs | 3 ++- {rules => test_files/rules}/test.toml | 0 test_files/rules/test2.toml | 3 +++ 4 files changed, 6 insertions(+), 2 deletions(-) rename {rules => test_files/rules}/test.toml (100%) create mode 100644 test_files/rules/test2.toml diff --git a/src/models/rule.rs b/src/models/rule.rs index 6efd403c..bff8bdc1 100644 --- a/src/models/rule.rs +++ b/src/models/rule.rs @@ -4,7 +4,7 @@ use serde::Deserialize; #[derive(Debug, Deserialize)] pub struct Rule { pub severity: Option, - + pub name: Option, } #[derive(Debug, Deserialize)] diff --git a/src/toml.rs b/src/toml.rs index 484e3abd..b7131b35 100644 --- a/src/toml.rs +++ b/src/toml.rs @@ -58,11 +58,12 @@ mod tests { #[test] fn test_read_toml() { let mut toml = toml::ParseToml::new(); - &toml.read_dir("rules".to_string()); + &toml.read_dir("test_files/rules".to_string()); for rule in toml.rules { match rule { Ok(_rule) => { + println!("{:?}", _rule); if let Some(severity) = _rule.rule.severity { assert_eq!("high", severity); } diff --git a/rules/test.toml b/test_files/rules/test.toml similarity index 100% rename from rules/test.toml rename to test_files/rules/test.toml diff --git a/test_files/rules/test2.toml b/test_files/rules/test2.toml new file mode 100644 index 00000000..9cebf717 --- /dev/null +++ b/test_files/rules/test2.toml @@ -0,0 +1,3 @@ +[rule] +severity = "high" +name = "test2" From 03be1dad34e885168ad57a1af03f642c0ae4c153 Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 11:14:39 +0900 Subject: [PATCH 4/4] cargo fmt --all --- src/detections/security.rs | 192 +++++++++++++++++++++++++------------ src/lib.rs | 2 +- src/main.rs | 1 - src/models/mod.rs | 2 +- src/models/rule.rs | 1 - src/toml.rs | 13 +-- 6 files changed, 136 insertions(+), 75 deletions(-) diff --git a/src/detections/security.rs b/src/detections/security.rs index 97a30ce5..7818e7c2 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -261,7 +261,10 @@ impl Security { } msges.push("Sensititive Privilege Use Exceeds Threshold".to_string()); - msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string()); + msges.push( + "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made" + .to_string(), + ); let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str); msges.push(format!("Username: {}", username)); @@ -335,7 +338,9 @@ impl Security { // let v_username = Vec::new(); let mut v_username = Vec::new(); - self.passspray_2_user.keys().for_each(|u| v_username.push(u)); + self.passspray_2_user + .keys() + .for_each(|u| v_username.push(u)); v_username.sort(); let usernames: String = v_username.iter().fold( self.empty_str.to_string(), @@ -665,7 +670,8 @@ mod tests { // eventidが異なりヒットしないパターン #[test] fn test_add_member_security_group_noteq_eventid() { - let xml_str = get_add_member_security_group_xml().replace(r"4732", r"4757"); + let xml_str = get_add_member_security_group_xml() + .replace(r"4732", r"4757"); let event: event::Evtx = quick_xml::de::from_str(&xml_str) .map_err(|e| { println!("{}", e.to_string()); @@ -683,7 +689,10 @@ mod tests { // グループがAdministratorsじゃなくてHitしないパターン #[test] fn test_add_member_security_not_administrators() { - let xml_str = get_add_member_security_group_xml().replace(r"Administrators", r"local"); + let xml_str = get_add_member_security_group_xml().replace( + r"Administrators", + r"local", + ); let event: event::Evtx = quick_xml::de::from_str(&xml_str) .map_err(|e| { println!("{}", e.to_string()); @@ -746,10 +755,7 @@ mod tests { &"Username: ".to_string(), ite.next().unwrap_or(&"".to_string()) ); - assert_eq!( - &"User SID: ", - ite.next().unwrap_or(&"".to_string()) - ); + assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string())); assert_eq!(Option::None, ite.next()); } @@ -795,10 +801,10 @@ mod tests { let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); - + sec.max_failed_logons = 5; - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|i| { sec.failed_logon( &event.system.event_id.to_string(), &event.parse_event_data(), @@ -813,9 +819,13 @@ mod tests { fn test_failed_logon_hit() { let xml_str = get_failed_logon_xml(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"Administrator", r"localuser")).unwrap(); + let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"Administrator", + r"localuser", + )) + .unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_failed_logons = 5; // メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目 @@ -825,13 +835,13 @@ mod tests { ); assert_eq!(1, sec.total_failed_logons); - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|i| { sec.failed_logon( &event_another.system.event_id.to_string(), &event_another.parse_event_data(), ); - let fail_cnt = i +1; + let fail_cnt = i + 1; assert_eq!(fail_cnt, sec.total_failed_logons); if fail_cnt > 5 { let v = sec.disp_login_failed().unwrap(); @@ -848,7 +858,7 @@ mod tests { &format!("Total logon failures: {}", fail_cnt), ite.next().unwrap_or(&"".to_string()) ); - // assert_eq!(Option::None, ite.next()); + // assert_eq!(Option::None, ite.next()); } else { assert_eq!(Option::None, sec.disp_login_failed()); } @@ -870,14 +880,25 @@ mod tests { ); } - // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。 - #[test] - fn test_failed_logon_noteq_eventid() { + // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。 + #[test] + fn test_failed_logon_noteq_eventid() { let xml_str = get_failed_logon_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626")).unwrap(); - let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626").replace(r"Administrator", r"localuser")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str( + &xml_str.replace(r"4625", r"4626"), + ) + .unwrap(); + let event_another: event::Evtx = quick_xml::de::from_str( + &xml_str + .replace(r"4625", r"4626") + .replace( + r"Administrator", + r"localuser", + ), + ) + .unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_failed_logons = 5; // メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目 @@ -887,16 +908,16 @@ mod tests { ); assert_eq!(0, sec.total_failed_logons); - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|_i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|_i| { sec.failed_logon( &event_another.system.event_id.to_string(), &event_another.parse_event_data(), ); assert_eq!(0, sec.total_failed_logons); assert_eq!(Option::None, sec.disp_login_failed()); - }); - } + }); + } fn get_failed_logon_xml() -> String { return r#" @@ -940,7 +961,8 @@ mod tests { 192.168.198.149 33083 - "#.to_string(); + "# + .to_string(); } // Hitするパターンとしないパターンをまとめてテスト @@ -949,10 +971,10 @@ mod tests { let xml_str = get_sensitive_prividedge_hit(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_total_sensitive_privuse = 6; - let ite = [1,2,3,4,5,6,7].iter(); + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); ite.for_each(|i| { let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); // i == 7ときにHitしない @@ -984,15 +1006,19 @@ mod tests { // eventidが異なるので、Hitしないテスト #[test] fn test_sensitive_priviledge_noteq_eventid() { - let xml_str = get_sensitive_prividedge_hit().replace(r"4673", r"4674"); + let xml_str = get_sensitive_prividedge_hit() + .replace(r"4673", r"4674"); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_total_sensitive_privuse = 6; - let ite = [1,2,3,4,5,6,7].iter(); + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); ite.for_each(|_i| { - let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); + let msg = sec.sensitive_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); assert_eq!(Option::None, msg); }); } @@ -1037,16 +1063,31 @@ mod tests { let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_ne!(Option::None, msg); let v = msg.unwrap(); let mut ite = v.iter(); - assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"Possible Hidden Service Attempt".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"User: Sec504".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"Target service: nginx".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"WRITE_DAC".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(Option::None, ite.next()); } @@ -1054,11 +1095,18 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_accessmask() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"%%1539",r"%%1538")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"%%1539", + r"%%1538", + )) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1066,11 +1114,18 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_service() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"C:\Windows\System32\services.exe",r"C:\Windows\System32\lsass.exe")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"C:\Windows\System32\services.exe", + r"C:\Windows\System32\lsass.exe", + )) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1078,11 +1133,17 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_eventid() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4674",r"4675")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str( + &xml_str.replace(r"4674", r"4675"), + ) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1130,12 +1191,11 @@ mod tests { sec.max_passspray_login = 6; sec.max_passspray_uniquser = 6; - test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); + test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true); // counterがreset確認のため、2回実行 - test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); + test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true); } - // eventid異なるので、Hitしないはず #[test] fn test_pass_spray_noteq_eventid() { @@ -1144,12 +1204,12 @@ mod tests { sec.max_passspray_login = 6; sec.max_passspray_uniquser = 6; - test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); + test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false); // counterがreset確認のため、2回実行 - test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); + test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false); } - fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) { + fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) { [1,2,3,4,5,6,7].iter().for_each(|i| { let rep_str = format!(r#"smisenar{}"#,i); let event_id_tag = format!("{}", event_id); @@ -1173,7 +1233,7 @@ mod tests { }); }); } - + fn get_passs_pray_hit() -> String { return r#" @@ -1224,22 +1284,32 @@ mod tests { assert_ne!(Option::None, msg); let v = msg.unwrap(); let mut ite = v.iter(); - assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"Audit Log Clear".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"The Audit log was cleared".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"Security ID: jwrig".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(Option::None, ite.next()); } // eventid違うのでHitしないはず #[test] fn test_audit_log_cleared_noteq_eventid() { - let xml_str = get_audit_log_cleared_xml().replace(r"1102", r"1103"); + let xml_str = get_audit_log_cleared_xml() + .replace(r"1102", r"1103"); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); let msg = sec.audit_log_cleared(&event.system.event_id.to_string(), &event.user_data); assert_eq!(Option::None, msg); - } + } fn get_audit_log_cleared_xml() -> String { return r#" diff --git a/src/lib.rs b/src/lib.rs index 3c230589..72434c62 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,3 +1,3 @@ pub mod detections; pub mod models; -pub mod toml; \ No newline at end of file +pub mod toml; diff --git a/src/main.rs b/src/main.rs index 6aa1b3fd..96239b23 100644 --- a/src/main.rs +++ b/src/main.rs @@ -59,4 +59,3 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } - diff --git a/src/models/mod.rs b/src/models/mod.rs index e8d63f0a..ee089cbc 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1,2 +1,2 @@ pub mod event; -pub mod rule; \ No newline at end of file +pub mod rule; diff --git a/src/models/rule.rs b/src/models/rule.rs index bff8bdc1..550bdc65 100644 --- a/src/models/rule.rs +++ b/src/models/rule.rs @@ -10,5 +10,4 @@ pub struct Rule { #[derive(Debug, Deserialize)] pub struct Toml { pub rule: Rule, - } diff --git a/src/toml.rs b/src/toml.rs index b7131b35..04211623 100644 --- a/src/toml.rs +++ b/src/toml.rs @@ -1,23 +1,19 @@ extern crate serde_derive; extern crate toml; +use crate::models::rule; use std::fs; use std::io; use std::io::{BufReader, Read}; use std::path::{Path, PathBuf}; -use crate::models::rule; - pub struct ParseToml { pub rules: Vec>, } impl ParseToml { - pub fn new() -> ParseToml { - ParseToml { - rules: Vec::new(), - } + ParseToml { rules: Vec::new() } } fn read_file(&self, path: PathBuf) -> Result { @@ -47,7 +43,6 @@ impl ParseToml { }) .collect()) } - } #[cfg(test)] @@ -67,11 +62,9 @@ mod tests { if let Some(severity) = _rule.rule.severity { assert_eq!("high", severity); } - }, + } Err(_) => (), } } - } } -