Merge pull request #688 from Yamato-Security/687-change-pipe-separator-character
Changed pipe separator character
This commit is contained in:
Yamato Security
GitHub
@@ -12,6 +12,7 @@
|
|||||||
- 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku)
|
- 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku)
|
||||||
- 結果概要の表示を短縮させた。 (#675 #678) (@hitenkoku)
|
- 結果概要の表示を短縮させた。 (#675 #678) (@hitenkoku)
|
||||||
- channel_abbreviations.txtによるChannelフィールドのチェックを大文字小文字の区別をなくした。 (#685) (@hitenkoku)
|
- channel_abbreviations.txtによるChannelフィールドのチェックを大文字小文字の区別をなくした。 (#685) (@hitenkoku)
|
||||||
|
- 出力結果の区切り文字を`|`から`‖`に変更した。 (#687) (@hitenkoku)
|
||||||
- 結果概要の検知数と総イベント数の数に色付けを行い見やすくした。 (#690) (@hitenkoku)
|
- 結果概要の検知数と総イベント数の数に色付けを行い見やすくした。 (#690) (@hitenkoku)
|
||||||
|
|
||||||
**バグ修正:**
|
**バグ修正:**
|
||||||
|
|||||||
@@ -12,6 +12,7 @@
|
|||||||
- Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku)
|
- Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku)
|
||||||
- Made the results summary more compact. (#675 #678) (@hitenkoku)
|
- Made the results summary more compact. (#675 #678) (@hitenkoku)
|
||||||
- Made Channel field in channel_abbreviations.txt case-insensitive. (#685) (@hitenkoku)
|
- Made Channel field in channel_abbreviations.txt case-insensitive. (#685) (@hitenkoku)
|
||||||
|
- Changed pipe separator character in output from `|` to `‖`. (#687) (@hitenkoku)
|
||||||
- Added color to Saved alerts and events / Total events analyzed. (#690) (@hitenkoku)
|
- Added color to Saved alerts and events / Total events analyzed. (#690) (@hitenkoku)
|
||||||
|
|
||||||
**Bug Fixes:**
|
**Bug Fixes:**
|
||||||
|
|||||||
2
rules
2
rules
Submodule rules updated: 5364222c54...a9be6f9dcd
@@ -469,17 +469,23 @@ fn _get_serialized_disp_output(data: &LinkedHashMap<String, String>, header: boo
|
|||||||
let data_length = &data.len();
|
let data_length = &data.len();
|
||||||
let mut ret: Vec<String> = vec![];
|
let mut ret: Vec<String> = vec![];
|
||||||
if header {
|
if header {
|
||||||
for k in data.keys() {
|
for (i, k) in data.keys().enumerate() {
|
||||||
ret.push(k.to_owned());
|
if i == 0 {
|
||||||
|
ret.push(_format_cellpos(k, ColPos::First))
|
||||||
|
} else if i == data_length - 1 {
|
||||||
|
ret.push(_format_cellpos(k, ColPos::Last))
|
||||||
|
} else {
|
||||||
|
ret.push(_format_cellpos(k, ColPos::Other))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
for (i, (_, v)) in data.iter().enumerate() {
|
for (i, (_, v)) in data.iter().enumerate() {
|
||||||
if i == 0 {
|
if i == 0 {
|
||||||
ret.push(_format_cellpos(v, ColPos::First))
|
ret.push(_format_cellpos(v, ColPos::First).replace('|', "🦅"))
|
||||||
} else if i == data_length - 1 {
|
} else if i == data_length - 1 {
|
||||||
ret.push(_format_cellpos(v, ColPos::Last))
|
ret.push(_format_cellpos(v, ColPos::Last).replace('|', "🦅"))
|
||||||
} else {
|
} else {
|
||||||
ret.push(_format_cellpos(v, ColPos::Other))
|
ret.push(_format_cellpos(v, ColPos::Other).replace('|', "🦅"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -491,7 +497,10 @@ fn _get_serialized_disp_output(data: &LinkedHashMap<String, String>, header: boo
|
|||||||
.from_writer(vec![]);
|
.from_writer(vec![]);
|
||||||
|
|
||||||
disp_serializer.write_record(ret).ok();
|
disp_serializer.write_record(ret).ok();
|
||||||
String::from_utf8(disp_serializer.into_inner().unwrap_or_default()).unwrap_or_default()
|
String::from_utf8(disp_serializer.into_inner().unwrap_or_default())
|
||||||
|
.unwrap_or_default()
|
||||||
|
.replace('|', "‖")
|
||||||
|
.replace('🦅', "|")
|
||||||
}
|
}
|
||||||
|
|
||||||
/// return str position in output file
|
/// return str position in output file
|
||||||
@@ -918,28 +927,28 @@ mod tests {
|
|||||||
let test_timestamp = Utc
|
let test_timestamp = Utc
|
||||||
.datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ")
|
.datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ")
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let expect_header = "Timestamp|Computer|Channel|EventID|Level|RecordID|RuleTitle|Details|RecordInformation\n";
|
let expect_header = "Timestamp ‖ Computer ‖ Channel ‖ EventID ‖ Level ‖ RecordID ‖ RuleTitle ‖ Details ‖ RecordInformation\n";
|
||||||
let expect_tz = test_timestamp.with_timezone(&Local);
|
let expect_tz = test_timestamp.with_timezone(&Local);
|
||||||
|
|
||||||
let expect_no_header = expect_tz
|
let expect_no_header = expect_tz
|
||||||
.clone()
|
.clone()
|
||||||
.format("%Y-%m-%d %H:%M:%S%.3f %:z")
|
.format("%Y-%m-%d %H:%M:%S%.3f %:z")
|
||||||
.to_string()
|
.to_string()
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_computername
|
+ test_computername
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_channel
|
+ test_channel
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_eventid
|
+ test_eventid
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_level
|
+ test_level
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_recid
|
+ test_recid
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_title
|
+ test_title
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ output
|
+ output
|
||||||
+ " | "
|
+ " ‖ "
|
||||||
+ test_recinfo
|
+ test_recinfo
|
||||||
+ "\n";
|
+ "\n";
|
||||||
let mut data: LinkedHashMap<String, String> = LinkedHashMap::new();
|
let mut data: LinkedHashMap<String, String> = LinkedHashMap::new();
|
||||||
|
|||||||
@@ -326,7 +326,7 @@ impl Detection {
|
|||||||
.filter(|x| TAGS_CONFIG.values().contains(x))
|
.filter(|x| TAGS_CONFIG.values().contains(x))
|
||||||
.map(|y| y.to_owned())
|
.map(|y| y.to_owned())
|
||||||
.collect();
|
.collect();
|
||||||
profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" : "));
|
profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" ¦ "));
|
||||||
}
|
}
|
||||||
"%MitreTags%" => {
|
"%MitreTags%" => {
|
||||||
let techniques: &Vec<String> = &tag_info
|
let techniques: &Vec<String> = &tag_info
|
||||||
@@ -342,7 +342,7 @@ impl Detection {
|
|||||||
make_ascii_titlecase(&mut replaced_tag)
|
make_ascii_titlecase(&mut replaced_tag)
|
||||||
})
|
})
|
||||||
.collect();
|
.collect();
|
||||||
profile_converter.insert("%MitreTags%".to_string(), techniques.join(" : "));
|
profile_converter.insert("%MitreTags%".to_string(), techniques.join(" ¦ "));
|
||||||
}
|
}
|
||||||
"%OtherTags%" => {
|
"%OtherTags%" => {
|
||||||
let tags: &Vec<String> = &tag_info
|
let tags: &Vec<String> = &tag_info
|
||||||
@@ -355,7 +355,7 @@ impl Detection {
|
|||||||
})
|
})
|
||||||
.map(|y| y.to_owned())
|
.map(|y| y.to_owned())
|
||||||
.collect();
|
.collect();
|
||||||
profile_converter.insert("%OtherTags%".to_string(), tags.join(" : "));
|
profile_converter.insert("%OtherTags%".to_string(), tags.join(" ¦ "));
|
||||||
}
|
}
|
||||||
|
|
||||||
_ => {}
|
_ => {}
|
||||||
@@ -458,7 +458,7 @@ impl Detection {
|
|||||||
.filter(|x| TAGS_CONFIG.values().contains(x))
|
.filter(|x| TAGS_CONFIG.values().contains(x))
|
||||||
.map(|y| y.to_owned())
|
.map(|y| y.to_owned())
|
||||||
.collect();
|
.collect();
|
||||||
profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" : "));
|
profile_converter.insert("%MitreTactics%".to_string(), tactics.join(" ¦ "));
|
||||||
}
|
}
|
||||||
"%MitreTags%" => {
|
"%MitreTags%" => {
|
||||||
let techniques: &Vec<String> = &tag_info
|
let techniques: &Vec<String> = &tag_info
|
||||||
@@ -474,7 +474,7 @@ impl Detection {
|
|||||||
make_ascii_titlecase(&mut replaced_tag)
|
make_ascii_titlecase(&mut replaced_tag)
|
||||||
})
|
})
|
||||||
.collect();
|
.collect();
|
||||||
profile_converter.insert("%MitreTags%".to_string(), techniques.join(" : "));
|
profile_converter.insert("%MitreTags%".to_string(), techniques.join(" ¦ "));
|
||||||
}
|
}
|
||||||
"%OtherTags%" => {
|
"%OtherTags%" => {
|
||||||
let tags: &Vec<String> = &tag_info
|
let tags: &Vec<String> = &tag_info
|
||||||
@@ -487,7 +487,7 @@ impl Detection {
|
|||||||
})
|
})
|
||||||
.map(|y| y.to_owned())
|
.map(|y| y.to_owned())
|
||||||
.collect();
|
.collect();
|
||||||
profile_converter.insert("%OtherTags%".to_string(), tags.join(" : "));
|
profile_converter.insert("%OtherTags%".to_string(), tags.join(" ¦ "));
|
||||||
}
|
}
|
||||||
_ => {}
|
_ => {}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -297,15 +297,10 @@ fn create_recordinfos(record: &Value) -> String {
|
|||||||
|
|
||||||
let summary: Vec<String> = output
|
let summary: Vec<String> = output
|
||||||
.iter()
|
.iter()
|
||||||
.map(|(key, value)| format!("{}:{}", key, value))
|
.map(|(key, value)| format!("{}: {}", key, value))
|
||||||
.collect();
|
.collect();
|
||||||
|
|
||||||
// 標準出力する時はセルがハイプ区切りになるので、パイプ区切りにしない
|
summary.join(" ¦ ")
|
||||||
if configs::CONFIG.read().unwrap().args.output.is_some() {
|
|
||||||
summary.join(" | ")
|
|
||||||
} else {
|
|
||||||
summary.join(" ")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -510,7 +505,7 @@ mod tests {
|
|||||||
Ok(record) => {
|
Ok(record) => {
|
||||||
let ret = utils::create_recordinfos(&record);
|
let ret = utils::create_recordinfos(&record);
|
||||||
// Systemは除外される/属性(_attributesも除外される)/key順に並ぶ
|
// Systemは除外される/属性(_attributesも除外される)/key順に並ぶ
|
||||||
let expected = "AccessMask:%%1369 Process:lsass.exe User:u1".to_string();
|
let expected = "AccessMask: %%1369 ¦ Process: lsass.exe ¦ User: u1".to_string();
|
||||||
assert_eq!(ret, expected);
|
assert_eq!(ret, expected);
|
||||||
}
|
}
|
||||||
Err(_) => {
|
Err(_) => {
|
||||||
@@ -544,7 +539,7 @@ mod tests {
|
|||||||
Ok(record) => {
|
Ok(record) => {
|
||||||
let ret = utils::create_recordinfos(&record);
|
let ret = utils::create_recordinfos(&record);
|
||||||
// Systemは除外される/属性(_attributesも除外される)/key順に並ぶ
|
// Systemは除外される/属性(_attributesも除外される)/key順に並ぶ
|
||||||
let expected = "Binary:hogehoge Data: Data:Data1 Data:DataData2 Data:DataDataData3"
|
let expected = "Binary: hogehoge ¦ Data: ¦ Data: Data1 ¦ Data: DataData2 ¦ Data: DataDataData3"
|
||||||
.to_string();
|
.to_string();
|
||||||
assert_eq!(ret, expected);
|
assert_eq!(ret, expected);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user