Merge pull request #609 from Yamato-Security/608-enhancement-enable-id-filtering-by-default-d-deep-scan-option

Enabled id filtering by default and added  `-D/--deep scan` option
This commit is contained in:
DustInDark
2022-06-29 22:27:42 +09:00
committed by GitHub
15 changed files with 82 additions and 727 deletions

View File

@@ -721,8 +721,11 @@ mod tests {
}
fn test_emit_csv_output() {
let mock_ch_filter =
Message::create_output_filter_config("config/channel_abbreviations.txt", true, false);
let mock_ch_filter = Message::create_output_filter_config(
"rules/config/channel_abbreviations.txt",
true,
false,
);
let test_filepath: &str = "test.evtx";
let test_rulepath: &str = "test-rule.yml";
let test_title = "test_title";

View File

@@ -115,9 +115,13 @@ pub struct Config {
pub visualize_timeline: bool,
/// Enable rules marked as deprecated
#[clap(short = 'D', long = "enable-deprecated-rules")]
#[clap(long = "enable-deprecated-rules")]
pub enable_deprecated_rules: bool,
/// Disable event ID filter to scan all events
#[clap(short = 'D', long = "deep-scan")]
pub deep_scan: bool,
/// Enable rules marked as noisy
#[clap(short = 'n', long = "enable-noisy-rules")]
pub enable_noisy_rules: bool,
@@ -238,13 +242,13 @@ impl ConfigReader<'_> {
headless_help: String::default(),
event_timeline_config: load_eventcode_info(
CURRENT_EXE_PATH
.join("config/statistics_event_info.txt")
.join("rules/config/statistics_event_info.txt")
.to_str()
.unwrap(),
),
target_eventids: load_target_ids(
CURRENT_EXE_PATH
.join("config/target_eventids.txt")
.join("rules/config/target_event_IDs.txt")
.to_str()
.unwrap(),
),

View File

@@ -63,7 +63,7 @@ lazy_static! {
);
pub static ref CH_CONFIG: HashMap<String, String> = Message::create_output_filter_config(
CURRENT_EXE_PATH
.join("config/channel_abbreviations.txt")
.join("rules/config/channel_abbreviations.txt")
.to_str()
.unwrap(),
false,

View File

@@ -588,11 +588,17 @@ impl App {
continue;
}
// target_eventids.txtでフィルタする。
// target_eventids.txtでイベントIDベースでフィルタする。
let data = record_result.as_ref().unwrap().data.clone();
let timestamp = record_result.unwrap().timestamp;
if !self._is_target_event_id(&data)
&& !configs::CONFIG.read().unwrap().args.deep_scan
{
continue;
}
if !self._is_target_event_id(&data) || !time_filter.is_target(&Some(timestamp)) {
// EventID側の条件との条件の混同を防ぐため時間でのフィルタリングの条件分岐を分離した
let timestamp = record_result.unwrap().timestamp;
if !time_filter.is_target(&Some(timestamp)) {
continue;
}