CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adjusted usage to clap v3 derive struct #413

Browse Source
This commit is contained in:
DustInDark
2022-06-13 01:58:40 +09:00
parent 6f83331420
commit 180e8cada2
1 changed files with 166 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
src/detections/configs.rs
View File

@@ -3,14 +3,15 @@ use crate::detections::pivot::PIVOT_KEYWORD;
use crate::detections::print::AlertMessage;
use crate::detections::utils;
use chrono::{DateTime, Utc};
use clap::{App, AppSettings, Arg, ArgMatches};
use clap::{Command, ArgMatches, CommandFactory, Parser};
use hashbrown::HashMap;
use hashbrown::HashSet;
use std::path::PathBuf;
use lazy_static::lazy_static;
use regex::Regex;
use std::sync::RwLock;
lazy_static! {
pub static ref CONFIG: RwLock<ConfigReader> = RwLock::new(ConfigReader::new());
pub static ref CONFIG: RwLock<ConfigReader<'static>> = RwLock::new(ConfigReader::new());
pub static ref LEVELMAP: HashMap<String, u128> = {
let mut levelmap = HashMap::new();
levelmap.insert("INFORMATIONAL".to_owned(), 1);
@@ -29,24 +30,182 @@ lazy_static! {
}
#[derive(Clone)]
pub struct ConfigReader {
pub args: ArgMatches<'static>,
pub struct ConfigReader<'a> {
pub cmd: Command<'a>,
pub args: ArgMatches,
pub folder_path: String,
pub event_timeline_config: EventInfoConfig,
pub target_eventids: TargetEventIds,
}
impl Default for ConfigReader {
impl Default for ConfigReader<'_> {
fn default() -> Self {
Self::new()
}
}
impl ConfigReader {
/// Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!
#[derive(Parser)]
#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa) @SecurityYamato)",
version
)]
struct Config {
/// Directory of multiple .evtx files.
#[clap(short = 'd', long, value_name = "DIRECTORY")]
directory: Option<PathBuf>,
/// File path to one .evtx file.
#[clap(short = 'f', long, value_name = "FILE_PATH")]
filepath: Option<PathBuf>,
/// Print all field information.
#[clap(short = 'F', long = "full-data")]
full_data: bool,
/// Rule directory or file (Default: .\\rules)
#[clap(
short = 'r',
long,
default_value = "./rules",
value_name = "RULE_DIRECTORY/RULE_FILE"
)]
rules: PathBuf,
/// Rule config folder. (Default: .\\rules\\config)
#[clap(
short = 'C',
long,
default_value = "./rules/config",
value_name = "RULE_CONFIG_DIRECTORY"
)]
config: PathBuf,
/// Save the timeline in CSV format. (Ex: results.csv)
#[clap(short = 'o', long, value_name = "CSV_TIMELINE")]
output: Option<PathBuf>,
/// Output all tags when saving to a CSV file.
#[clap(long = "all-tags")]
all_tags: bool,
/// Do not display EventRecordID number.
#[clap(short = 'R', long = "hide-record-id")]
hide_record_id: bool,
/// Output verbose information.
#[clap(short = 'v', long)]
verbose: bool,
/// Output event frequency timeline.
#[clap(short = 'V', long = "visualize-timeline")]
visualize_timeline: bool,
/// Enable rules marked as deprecated.
#[clap(short = 'D', long = "enable-deprecated-rules")]
enable_deprecated_rules: bool,
/// Enable rules marked as noisy.
#[clap(short = 'n', long = "enable-noisy-rules")]
enable_noisy_rules: bool,
/// Update to the latest rules in the hayabusa-rules github repository.
#[clap(short = 'u', long = "update-rules")]
update: bool,
/// Minimum level for rules. (Default: informational)
#[clap(
short = 'm',
long = "min-level",
default_value = "informational",
value_name = "LEVEL"
)]
min_level: String,
/// Analyze the local C:\\Windows\\System32\\winevt\\Logs folder (Windows Only. Administrator privileges required.)
#[clap(short = 'l', long = "live-analysis")]
live_analysis: bool,
/// Start time of the event logs to load. (Ex: \"2020-02-22 00:00:00 +09:00\")
#[clap(long = "start-timeline", value_name = "START_TIMELINE")]
start_timeline: Option<String>,
/// End time of the event logs to load. (Ex: \"2022-02-22 23:59:59 +09:00\")
#[clap(long = "end-timeline", value_name = "END_TIMELINE")]
end_timeline: Option<String>,
/// Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)
#[clap(long = "rfc-2822")]
rfc_2822: bool,
/// Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)
#[clap(long = "rfc-3339")]
rfc_3339: bool,
/// Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)
#[clap(long = "US-time")]
us_time: bool,
/// Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)
#[clap(long = "US-military-time")]
us_military_time: bool,
/// Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)
#[clap(long = "European-time")]
european_time: bool,
/// Output time in UTC format. (Default: local time)
#[clap(short = 'U', long = "utc")]
utc: bool,
/// Disable color output.
#[clap(long = "no_color")]
no_color: bool,
/// Thread number. (Default: Optimal number for performance.)
#[clap(short, long = "thread-number", value_name = "NUMBER")]
thread_number: Option<usize>,
/// Prints statistics of event IDs.
#[clap(short, long)]
statistics: bool,
/// Successful and failed logons summary.
#[clap(short = 'L', long = "logon-summary")]
logon_summary: bool,
/// Tune alert levels. (Default: .\\rules\\config\\level_tuning.txt)
#[clap(
long = "level-tuning",
default_value = "./rules/config/level_tuning.txt",
value_name = "LEVEL_TUNING_FILE"
)]
level_tuning: PathBuf,
/// Quiet mode. Do not display the launch banner.
#[clap(short, long)]
quiet: bool,
/// Quiet errors mode. Do not save error logs.
#[clap(short = 'Q', long = "quiet-errors")]
quiet_errors: bool,
/// Create a list of pivot keywords.
#[clap(short = 'p', long = "pivot-keywords-list")]
pivot_keywords_list: bool,
/// Prints the list of contributors.
#[clap(long)]
contributors: bool,
}
impl ConfigReader<'_> {
pub fn new() -> Self {
let arg = build_app();
let build_cmd = Config::command();
let arg = build_cmd.clone().get_matches();
let folder_path_str = arg.value_of("config").unwrap_or("rules/config").to_string();
ConfigReader {
cmd: build_cmd,
args: arg,
folder_path: folder_path_str,
event_timeline_config: load_eventcode_info("config/statistics_event_info.txt"),