CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

output fix logontype and change order #197 #198 (#217)

Browse Source 
* changed output column order #198

* added eventkey alias #197

* fixed eventid double quatation #197

* fixed eventid double quatation #197

* fixed logontype not converted #197

* fixed WorkStation and added TargetDomainName #205

* fixed typo #205

* Fixed the problem that conversion for No-String types #197
This commit is contained in:
DustInDark
2021-11-20 11:03:28 +09:00
committed by GitHub
parent 199a8231c1
commit 0b85a280f0
5 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/eventkey_alias.txt
View File

@@ -26,7 +26,7 @@ TicketEncryptionType,Event.EventData.TicketEncryptionType
PreAuthType,Event.EventData.PreAuthType PreAuthType,Event.EventData.PreAuthType
TaskName,Event.EventData.TaskName TaskName,Event.EventData.TaskName
WorkStationName,Event.EventData.WorkStationName WorkStationName,Event.EventData.WorkStationName
Workstation,Event.EventData.WorkStation Workstation,Event.EventData.WorkstationName
UserName,Event.EventData.UserName UserName,Event.EventData.UserName
ServiceFileName,Event.EventData.ServiceFileName ServiceFileName,Event.EventData.ServiceFileName
ComputerName,Event.System.Computer ComputerName,Event.System.Computer
@@ -170,3 +170,6 @@ Workstation,Event.EventData.Workstation
WorkstationName,Event.EventData.WorkstationName WorkstationName,Event.EventData.WorkstationName
JobTitle,Event.EventData.name JobTitle,Event.EventData.name
Url,Event.EventData.url Url,Event.EventData.url
IpPort,Event.EventData.IpPort
SubStatus,Event.EventData.SubStatus
TargetDomainName,Event.EventData.TargetDomainName

20
src/afterfact.rs
View File

@@ -12,13 +12,13 @@ use std::process;
#[serde(rename_all = "PascalCase")] #[serde(rename_all = "PascalCase")]
pub struct CsvFormat<'a> { pub struct CsvFormat<'a> {
time: &'a str, time: &'a str,
filepath: &'a str,
rulepath: &'a str,
level: &'a str,
computername: &'a str, computername: &'a str,
eventid: &'a str, eventid: &'a str,
level: &'a str,
alert: &'a str, alert: &'a str,
details: &'a str, details: &'a str,
rulepath: &'a str,
filepath: &'a str,
} }
pub fn after_fact() { pub fn after_fact() {
@@ -152,25 +152,25 @@ fn test_emit_csv() {
.datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ")
.unwrap(); .unwrap();
let expect_tz = expect_time.with_timezone(&Local); let expect_tz = expect_time.with_timezone(&Local);
let expect = "Time,Filepath,Rulepath,Level,Computername,Eventid,Alert,Details\n".to_string() let expect = "Time,Computername,Eventid,Level,Alert,Details,Rulepath,Filepath\n".to_string()
+ &expect_tz + &expect_tz
.clone() .clone()
.format("%Y-%m-%d %H:%M:%S%.3f %:z") .format("%Y-%m-%d %H:%M:%S%.3f %:z")
.to_string() .to_string()
+ "," + ","
+ &testfilepath.replace(".evtx", "").to_string()
+ ","
+ testrulepath
+ ","
+ test_level
+ ","
+ test_computername + test_computername
+ "," + ","
+ test_eventid + test_eventid
+ "," + ","
+ test_level
+ ","
+ test_title + test_title
+ "," + ","
+ output + output
+ ","
+ testrulepath
+ ","
+ &testfilepath.replace(".evtx", "").to_string()
+ "\n"; + "\n";
let mut file: Box<dyn io::Write> = let mut file: Box<dyn io::Write> =

5
src/detections/detection.rs
View File

@@ -8,6 +8,7 @@ use crate::detections::print::AlertMessage;
use crate::detections::print::MESSAGES; use crate::detections::print::MESSAGES;
use crate::detections::rule; use crate::detections::rule;
use crate::detections::rule::RuleNode; use crate::detections::rule::RuleNode;
use crate::detections::utils::get_serde_number_to_string;
use crate::yaml::ParseYaml; use crate::yaml::ParseYaml;
use std::sync::Arc; use std::sync::Arc;
@@ -156,11 +157,11 @@ impl Detection {
record_info.evtx_filepath.to_string(), record_info.evtx_filepath.to_string(),
rule.rulepath.to_string(), rule.rulepath.to_string(),
&record_info.record, &record_info.record,
rule.yaml["level"].as_str().unwrap_or("").to_string(), rule.yaml["level"].as_str().unwrap_or("-").to_string(),
record_info.record["Event"]["System"]["Computer"] record_info.record["Event"]["System"]["Computer"]
.to_string() .to_string()
.replace("\"", ""), .replace("\"", ""),
record_info.record["Event"]["System"]["EventID"].to_string(), get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]),
rule.yaml["title"].as_str().unwrap_or("").to_string(), rule.yaml["title"].as_str().unwrap_or("").to_string(),
rule.yaml["output"].as_str().unwrap_or("").to_string(), rule.yaml["output"].as_str().unwrap_or("").to_string(),
); );

3
src/detections/print.rs
View File

@@ -1,5 +1,6 @@
extern crate lazy_static; extern crate lazy_static;
use crate::detections::configs; use crate::detections::configs;
use crate::detections::utils::get_serde_number_to_string;
use chrono::{DateTime, TimeZone, Utc}; use chrono::{DateTime, TimeZone, Utc};
use lazy_static::lazy_static; use lazy_static::lazy_static;
use regex::Regex; use regex::Regex;
@@ -125,7 +126,7 @@ impl Message {
} }
hash_map.insert( hash_map.insert(
full_target_str.to_string(), full_target_str.to_string(),
tmp_event_record.as_str().unwrap_or("").to_string(), get_serde_number_to_string(tmp_event_record),
); );
} }
} }

9
src/detections/utils.rs
View File

@@ -89,6 +89,15 @@ pub fn get_event_id_key() -> String {
return "Event.System.EventID".to_string(); return "Event.System.EventID".to_string();
} }
/// serde:Valueの型を確認し、文字列を返します。
pub fn get_serde_number_to_string(value: &serde_json::Value) -> String {
if value.is_string() {
return value.as_str().unwrap_or("").to_string();
} else {
return value.to_string();
}
}
// alias.txtについて、指定されたevent_keyに対応するaliasを取得します。 // alias.txtについて、指定されたevent_keyに対応するaliasを取得します。
pub fn get_alias(event_key: &String) -> Option<String> { pub fn get_alias(event_key: &String) -> Option<String> {
let conf = configs::CONFIG.read().unwrap(); let conf = configs::CONFIG.read().unwrap();