From c131a64d284ab95cc53f2be8264ceb298bc71508 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:51:32 +0900 Subject: [PATCH 01/18] changed output field sparator #687 --- src/afterfact.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 4bf61ee6..800fe435 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -457,7 +457,7 @@ fn _get_serialized_disp_output(data: &LinkedHashMap, header: boo .from_writer(vec![]); disp_serializer.write_record(ret).ok(); - String::from_utf8(disp_serializer.into_inner().unwrap_or_default()).unwrap_or_default() + String::from_utf8(disp_serializer.into_inner().unwrap_or_default()).unwrap_or_default().replace('|', "‖") } /// return str position in output file From e6af3acc6953169531e78d768dab177d0de43071 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:52:03 +0900 Subject: [PATCH 02/18] fixed test --- src/afterfact.rs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 800fe435..bdbb1e3a 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -884,28 +884,28 @@ mod tests { let test_timestamp = Utc .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") .unwrap(); - let expect_header = "Timestamp|Computer|Channel|EventID|Level|RecordID|RuleTitle|Details|RecordInformation\n"; + let expect_header = "Timestamp‖Computer‖Channel‖EventID‖Level‖RecordID‖RuleTitle‖Details‖RecordInformation\n"; let expect_tz = test_timestamp.with_timezone(&Local); let expect_no_header = expect_tz .clone() .format("%Y-%m-%d %H:%M:%S%.3f %:z") .to_string() - + " | " + + " ‖ " + test_computername - + " | " + + " ‖ " + test_channel - + " | " + + " ‖ " + test_eventid - + " | " + + " ‖ " + test_level - + " | " + + " ‖ " + test_recid - + " | " + + " ‖ " + test_title - + " | " + + " ‖ " + output - + " | " + + " ‖ " + test_recinfo + "\n"; let mut data: LinkedHashMap = LinkedHashMap::new(); From 58e78b7203449738ba4d06064ed5c33d42be5d0f Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:52:26 +0900 Subject: [PATCH 03/18] changed MitreTags, MitreTactics, OtherTags field separator character --- src/detections/detection.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 75e801de..c28756bd 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -326,7 +326,7 @@ impl Detection { .filter(|x| TAGS_CONFIG.values().contains(x)) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" : ")); + profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" | ")); } "%MitreTags%" => { let techniques: &Vec = &tag_info @@ -342,7 +342,7 @@ impl Detection { make_ascii_titlecase(&mut replaced_tag) }) .collect(); - profile_converter.insert("%MitreTags%".to_string(), techniques.join(" : ")); + profile_converter.insert("%MitreTags%".to_string(), techniques.join(" | ")); } "%OtherTags%" => { let tags: &Vec = &tag_info @@ -355,7 +355,7 @@ impl Detection { }) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%OtherTags%".to_string(), tags.join(" : ")); + profile_converter.insert("%OtherTags%".to_string(), tags.join(" | ")); } _ => {} @@ -458,7 +458,7 @@ impl Detection { .filter(|x| TAGS_CONFIG.values().contains(x)) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" : ")); + profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" | ")); } "%MitreTags%" => { let techniques: &Vec = &tag_info @@ -474,7 +474,7 @@ impl Detection { make_ascii_titlecase(&mut replaced_tag) }) .collect(); - profile_converter.insert("%MitreTags%".to_string(), techniques.join(" : ")); + profile_converter.insert("%MitreTags%".to_string(), techniques.join(" | ")); } "%OtherTags%" => { let tags: &Vec = &tag_info @@ -487,7 +487,7 @@ impl Detection { }) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%OtherTags%".to_string(), tags.join(" : ")); + profile_converter.insert("%OtherTags%".to_string(), tags.join(" | ")); } _ => {} } From ec176404accb5513c19cadad13c2cac32c5dcf6b Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:53:16 +0900 Subject: [PATCH 04/18] updated changelog #687 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index e9398d53..a6d2c832 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -12,6 +12,7 @@ - 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku) - 結果概要の表示を短縮させた。 (#675 #678) (@hitenkoku) - channel_abbreviations.txtによるChannelフィールドのチェックを大文字小文字の区別をなくした。 (#685) (@hitenkoku) +- 出力結果の区切り文字を変更した。 (#687) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index cd145245..c7d6527c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku) - Made the results summary more compact. (#675 #678) (@hitenkoku) - Made Channel field in channel_abbreviations.txt case-insensitive. (#685) (@hitenkoku) +- Changed pipe separator character in output. (#687) (@hitenkoku) **Bug Fixes:** From c22c200d30cb63142983ac8130f28a719f2ba466 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:53:48 +0900 Subject: [PATCH 05/18] updated rules submodule --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index 5364222c..ff5732fa 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 5364222c5459472d8ecbd46c49b482172be9d184 +Subproject commit ff5732fa1788b1c2281fdc3ccaa0dd0301b030d8 From 64bc89d750920cd17cac22e4dcb788df6778f621 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 8 Sep 2022 10:36:10 +0900 Subject: [PATCH 06/18] update tags to broken pipe --- src/detections/detection.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index c28756bd..f1b5af43 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -326,7 +326,7 @@ impl Detection { .filter(|x| TAGS_CONFIG.values().contains(x)) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" | ")); + profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" ¦ ")); } "%MitreTags%" => { let techniques: &Vec = &tag_info @@ -342,7 +342,7 @@ impl Detection { make_ascii_titlecase(&mut replaced_tag) }) .collect(); - profile_converter.insert("%MitreTags%".to_string(), techniques.join(" | ")); + profile_converter.insert("%MitreTags%".to_string(), techniques.join(" ¦ ")); } "%OtherTags%" => { let tags: &Vec = &tag_info @@ -355,7 +355,7 @@ impl Detection { }) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%OtherTags%".to_string(), tags.join(" | ")); + profile_converter.insert("%OtherTags%".to_string(), tags.join(" ¦ ")); } _ => {} @@ -458,7 +458,7 @@ impl Detection { .filter(|x| TAGS_CONFIG.values().contains(x)) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" | ")); + profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" ¦ ")); } "%MitreTags%" => { let techniques: &Vec = &tag_info @@ -474,7 +474,7 @@ impl Detection { make_ascii_titlecase(&mut replaced_tag) }) .collect(); - profile_converter.insert("%MitreTags%".to_string(), techniques.join(" | ")); + profile_converter.insert("%MitreTags%".to_string(), techniques.join(" ¦ ")); } "%OtherTags%" => { let tags: &Vec = &tag_info @@ -487,7 +487,7 @@ impl Detection { }) .map(|y| y.to_owned()) .collect(); - profile_converter.insert("%OtherTags%".to_string(), tags.join(" | ")); + profile_converter.insert("%OtherTags%".to_string(), tags.join(" ¦ ")); } _ => {} } From 33df28d41c0399220beef6ac9c1c326164a41643 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 11:03:24 +0900 Subject: [PATCH 07/18] cargo fmt --- src/afterfact.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index bdbb1e3a..5138dc83 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -457,7 +457,9 @@ fn _get_serialized_disp_output(data: &LinkedHashMap, header: boo .from_writer(vec![]); disp_serializer.write_record(ret).ok(); - String::from_utf8(disp_serializer.into_inner().unwrap_or_default()).unwrap_or_default().replace('|', "‖") + String::from_utf8(disp_serializer.into_inner().unwrap_or_default()) + .unwrap_or_default() + .replace('|', "‖") } /// return str position in output file From c02becc2860e7a060c52350e959e2768c3ed89ca Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 11:49:41 +0900 Subject: [PATCH 08/18] updated rules submodule --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index ff5732fa..0fff3f28 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit ff5732fa1788b1c2281fdc3ccaa0dd0301b030d8 +Subproject commit 0fff3f28331ce53ec81a2c4aca286479da6293f9 From c655856abedf67ad6ab08dd36d15eb0f42d08f19 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 13:47:38 +0900 Subject: [PATCH 09/18] fixed output header format --- src/afterfact.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 5138dc83..40c8e7af 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -435,8 +435,14 @@ fn _get_serialized_disp_output(data: &LinkedHashMap, header: boo let data_length = &data.len(); let mut ret: Vec = vec![]; if header { - for k in data.keys() { - ret.push(k.to_owned()); + for (i, k) in data.keys().enumerate() { + if i == 0 { + ret.push(_format_cellpos(k, ColPos::First)) + } else if i == data_length - 1 { + ret.push(_format_cellpos(k, ColPos::Last)) + } else { + ret.push(_format_cellpos(k, ColPos::Other)) + } } } else { for (i, (_, v)) in data.iter().enumerate() { From 4c7158d5e868dd21171ec0e4f2d9fddb7b14bc13 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 8 Sep 2022 14:23:23 +0900 Subject: [PATCH 10/18] fixed test --- src/afterfact.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 40c8e7af..2ff25eeb 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -892,7 +892,7 @@ mod tests { let test_timestamp = Utc .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") .unwrap(); - let expect_header = "Timestamp‖Computer‖Channel‖EventID‖Level‖RecordID‖RuleTitle‖Details‖RecordInformation\n"; + let expect_header = "Timestamp ‖ Computer ‖ Channel ‖ EventID ‖ Level ‖ RecordID ‖ RuleTitle ‖ Details ‖ RecordInformation\n"; let expect_tz = test_timestamp.with_timezone(&Local); let expect_no_header = expect_tz From 0482d73d185c05e80a465cdd5c1dccffc35f1e51 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 12:03:19 +0900 Subject: [PATCH 11/18] changed separator --- src/detections/utils.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index f7ee3a14..b4b262a0 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -297,14 +297,14 @@ fn create_recordinfos(record: &Value) -> String { let summary: Vec = output .iter() - .map(|(key, value)| format!("{}:{}", key, value)) + .map(|(key, value)| format!("{}: {}", key, value)) .collect(); // 標準出力する時はセルがハイプ区切りになるので、パイプ区切りにしない if configs::CONFIG.read().unwrap().args.output.is_some() { - summary.join(" | ") + summary.join(" ‖ ") } else { - summary.join(" ") + summary.join("‖") } } From 4b80dc63f8dc7c80bbb58d5520a45b44fdb12936 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 12:47:18 +0900 Subject: [PATCH 12/18] changed allrecordinfo data separator to broken pipe --- src/detections/utils.rs | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index b4b262a0..c2eee8d8 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -300,12 +300,7 @@ fn create_recordinfos(record: &Value) -> String { .map(|(key, value)| format!("{}: {}", key, value)) .collect(); - // 標準出力する時はセルがハイプ区切りになるので、パイプ区切りにしない - if configs::CONFIG.read().unwrap().args.output.is_some() { - summary.join(" ‖ ") - } else { - summary.join("‖") - } + summary.join(" ¦ ") } /** From fb42afa1d0a451a58e6e864f3611775c8e545804 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 12:47:57 +0900 Subject: [PATCH 13/18] fixed test --- src/detections/utils.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index c2eee8d8..5db79f11 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -505,7 +505,7 @@ mod tests { Ok(record) => { let ret = utils::create_recordinfos(&record); // Systemは除外される/属性(_attributesも除外される)/key順に並ぶ - let expected = "AccessMask:%%1369 Process:lsass.exe User:u1".to_string(); + let expected = "AccessMask: %%1369 ¦ Process: lsass.exe ¦ User: u1".to_string(); assert_eq!(ret, expected); } Err(_) => { @@ -539,7 +539,7 @@ mod tests { Ok(record) => { let ret = utils::create_recordinfos(&record); // Systemは除外される/属性(_attributesも除外される)/key順に並ぶ - let expected = "Binary:hogehoge Data: Data:Data1 Data:DataData2 Data:DataDataData3" + let expected = "Binary: hogehoge ¦ Data: ¦ Data: Data1 ¦ Data: DataData2 ¦ Data: DataDataData3" .to_string(); assert_eq!(ret, expected); } From bdd4fe97c28d0df48c77bc1d86fc8a03023f146a Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 20:22:40 +0900 Subject: [PATCH 14/18] cargo fmt --- src/detections/utils.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 5db79f11..837da55d 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -300,7 +300,7 @@ fn create_recordinfos(record: &Value) -> String { .map(|(key, value)| format!("{}: {}", key, value)) .collect(); - summary.join(" ¦ ") + summary.join(" ¦ ") } /** From 29f8eacbd20b7a1ba5c3a59e61d74a4d6a69e19d Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 20:34:06 +0900 Subject: [PATCH 15/18] fixed excluded pipe in value is replace double pipe. ex. pipe in powershell --- src/afterfact.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 29da11d2..e2d31106 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -481,11 +481,11 @@ fn _get_serialized_disp_output(data: &LinkedHashMap, header: boo } else { for (i, (_, v)) in data.iter().enumerate() { if i == 0 { - ret.push(_format_cellpos(v, ColPos::First)) + ret.push(_format_cellpos(v, ColPos::First).replace('|', "🦅")) } else if i == data_length - 1 { - ret.push(_format_cellpos(v, ColPos::Last)) + ret.push(_format_cellpos(v, ColPos::Last).replace('|', "🦅")) } else { - ret.push(_format_cellpos(v, ColPos::Other)) + ret.push(_format_cellpos(v, ColPos::Other).replace('|', "🦅")) } } } @@ -499,7 +499,7 @@ fn _get_serialized_disp_output(data: &LinkedHashMap, header: boo disp_serializer.write_record(ret).ok(); String::from_utf8(disp_serializer.into_inner().unwrap_or_default()) .unwrap_or_default() - .replace('|', "‖") + .replace('|', "‖").replace('🦅', "|") } /// return str position in output file From 6253ef0c14a43063dd6361be8503f16c74916a71 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 20:36:32 +0900 Subject: [PATCH 16/18] cargo fmt --- src/afterfact.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index e2d31106..320b906b 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -499,7 +499,8 @@ fn _get_serialized_disp_output(data: &LinkedHashMap, header: boo disp_serializer.write_record(ret).ok(); String::from_utf8(disp_serializer.into_inner().unwrap_or_default()) .unwrap_or_default() - .replace('|', "‖").replace('🦅', "|") + .replace('|', "‖") + .replace('🦅', "|") } /// return str position in output file From 9f308b7be01a60711f1f6a2249a4ef53ab54ab3a Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 9 Sep 2022 23:03:58 +0900 Subject: [PATCH 17/18] updated rules --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index 0fff3f28..a9be6f9d 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 0fff3f28331ce53ec81a2c4aca286479da6293f9 +Subproject commit a9be6f9dcd3b8942bb5c45abb9de1941dd22b1bb From 6064f4a8300a6d5b7c7752d65159219fd614dfef Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 10 Sep 2022 04:01:55 +0900 Subject: [PATCH 18/18] update changelog --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index b9f09b3a..a1c85d64 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -12,7 +12,7 @@ - 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku) - 結果概要の表示を短縮させた。 (#675 #678) (@hitenkoku) - channel_abbreviations.txtによるChannelフィールドのチェックを大文字小文字の区別をなくした。 (#685) (@hitenkoku) -- 出力結果の区切り文字を変更した。 (#687) (@hitenkoku) +- 出力結果の区切り文字を`|`から`‖`に変更した。 (#687) (@hitenkoku) - 結果概要の検知数と総イベント数の数に色付けを行い見やすくした。 (#690) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 97f49099..4205496c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ - Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku) - Made the results summary more compact. (#675 #678) (@hitenkoku) - Made Channel field in channel_abbreviations.txt case-insensitive. (#685) (@hitenkoku) -- Changed pipe separator character in output. (#687) (@hitenkoku) +- Changed pipe separator character in output from `|` to `‖`. (#687) (@hitenkoku) - Added color to Saved alerts and events / Total events analyzed. (#690) (@hitenkoku) **Bug Fixes:**