Merge pull request #609 from Yamato-Security/608-enhancement-enable-id-filtering-by-default-d-deep-scan-option

Enabled id filtering by default and added  `-D/--deep scan` option

src/afterfact.rs

@@ -721,8 +721,11 @@ mod tests {
     }
 
     fn test_emit_csv_output() {
-        let mock_ch_filter =
-            Message::create_output_filter_config("config/channel_abbreviations.txt", true, false);
+        let mock_ch_filter = Message::create_output_filter_config(
+            "rules/config/channel_abbreviations.txt",
+            true,
+            false,
+        );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
         let test_title = "test_title";

src/detections/configs.rs

@@ -115,9 +115,13 @@ pub struct Config {
     pub visualize_timeline: bool,
 
     /// Enable rules marked as deprecated
-    #[clap(short = 'D', long = "enable-deprecated-rules")]
+    #[clap(long = "enable-deprecated-rules")]
     pub enable_deprecated_rules: bool,
 
+    /// Disable event ID filter to scan all events
+    #[clap(short = 'D', long = "deep-scan")]
+    pub deep_scan: bool,
+
     /// Enable rules marked as noisy
     #[clap(short = 'n', long = "enable-noisy-rules")]
     pub enable_noisy_rules: bool,
@@ -238,13 +242,13 @@ impl ConfigReader<'_> {
             headless_help: String::default(),
             event_timeline_config: load_eventcode_info(
                 CURRENT_EXE_PATH
-                    .join("config/statistics_event_info.txt")
+                    .join("rules/config/statistics_event_info.txt")
                     .to_str()
                     .unwrap(),
             ),
             target_eventids: load_target_ids(
                 CURRENT_EXE_PATH
-                    .join("config/target_eventids.txt")
+                    .join("rules/config/target_event_IDs.txt")
                     .to_str()
                     .unwrap(),
             ),

src/detections/print.rs

@@ -63,7 +63,7 @@ lazy_static! {
     );
     pub static ref CH_CONFIG: HashMap<String, String> = Message::create_output_filter_config(
         CURRENT_EXE_PATH
-            .join("config/channel_abbreviations.txt")
+            .join("rules/config/channel_abbreviations.txt")
             .to_str()
             .unwrap(),
         false,

src/main.rs

@@ -588,11 +588,17 @@ impl App {
                     continue;
                 }
 
-                // target_eventids.txtでフィルタする。
+                // target_eventids.txtでイベントIDベースでフィルタする。
                 let data = record_result.as_ref().unwrap().data.clone();
-                let timestamp = record_result.unwrap().timestamp;
+                if !self._is_target_event_id(&data)
+                    && !configs::CONFIG.read().unwrap().args.deep_scan
+                {
+                    continue;
+                }
 
-                if !self._is_target_event_id(&data) || !time_filter.is_target(&Some(timestamp)) {
+                // EventID側の条件との条件の混同を防ぐため時間でのフィルタリングの条件分岐を分離した
+                let timestamp = record_result.unwrap().timestamp;
+                if !time_filter.is_target(&Some(timestamp)) {
                     continue;
                 }