* changed default level to Low #211 * fixed usage #211 * erased Lang option #195 * changed output credit to contributors #141 * Removed contributor information for uncreated features and features that will not be introduced in v1.0. #141 * removed slack notification feature #202 - removed config option - removed artifact slack notification call * removed description of slack notification #202 * fixed default level to Low #211 * removed description about slack notification #202
This commit is contained in:
DustInDark
GitHub
+21
-39
@@ -1,13 +1,11 @@
|
||||
use crate::detections::configs;
|
||||
use crate::detections::print;
|
||||
use crate::detections::print::AlertMessage;
|
||||
use crate::notify::slack::SlackNotify;
|
||||
use chrono::{DateTime, Local, TimeZone, Utc};
|
||||
use serde::Serialize;
|
||||
use std::error::Error;
|
||||
use std::fs::File;
|
||||
use std::io;
|
||||
use std::io::BufWriter;
|
||||
use std::process;
|
||||
|
||||
#[derive(Debug, Serialize)]
|
||||
@@ -33,47 +31,31 @@ pub fn after_fact() {
|
||||
process::exit(1);
|
||||
};
|
||||
|
||||
// slack通知する場合はemit_csvした後に
|
||||
if configs::CONFIG.read().unwrap().args.is_present("slack") {
|
||||
let mut buf = vec![];
|
||||
let mut writer = BufWriter::new(buf);
|
||||
if let Err(err) = emit_csv(&mut writer) {
|
||||
fn_emit_csv_err(err);
|
||||
} else {
|
||||
buf = writer.into_inner().unwrap();
|
||||
let s = std::str::from_utf8(&buf).unwrap();
|
||||
if SlackNotify::notify(s.to_string()).is_err() {
|
||||
eprintln!("slack notification failed!!");
|
||||
let mut target: Box<dyn io::Write> = if let Some(csv_path) = configs::CONFIG
|
||||
.read()
|
||||
.unwrap()
|
||||
.args
|
||||
.value_of("csv-timeline")
|
||||
{
|
||||
// ファイル出力する場合
|
||||
match File::create(csv_path) {
|
||||
Ok(file) => Box::new(file),
|
||||
Err(err) => {
|
||||
AlertMessage::alert(
|
||||
&mut std::io::stderr().lock(),
|
||||
format!("Failed to open file. {}", err),
|
||||
)
|
||||
.ok();
|
||||
process::exit(1);
|
||||
}
|
||||
println!("{}", s.to_string());
|
||||
}
|
||||
} else {
|
||||
let mut target: Box<dyn io::Write> = if let Some(csv_path) = configs::CONFIG
|
||||
.read()
|
||||
.unwrap()
|
||||
.args
|
||||
.value_of("csv-timeline")
|
||||
{
|
||||
// ファイル出力する場合
|
||||
match File::create(csv_path) {
|
||||
Ok(file) => Box::new(file),
|
||||
Err(err) => {
|
||||
AlertMessage::alert(
|
||||
&mut std::io::stderr().lock(),
|
||||
format!("Failed to open file. {}", err),
|
||||
)
|
||||
.ok();
|
||||
process::exit(1);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// 標準出力に出力する場合
|
||||
Box::new(io::stdout())
|
||||
};
|
||||
// 標準出力に出力する場合
|
||||
Box::new(io::stdout())
|
||||
};
|
||||
|
||||
if let Err(err) = emit_csv(&mut target) {
|
||||
fn_emit_csv_err(err);
|
||||
}
|
||||
if let Err(err) = emit_csv(&mut target) {
|
||||
fn_emit_csv_err(err);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -52,14 +52,12 @@ fn build_app<'a>() -> ArgMatches<'a> {
|
||||
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
|
||||
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
|
||||
--verbose 'Output check information to target event file path and rule file.'
|
||||
-l --lang=[LANG] 'Output language'
|
||||
-L --level=[LEVEL] 'Specified execute rule level(default: INFO)'
|
||||
-L --level=[LEVEL] 'Specified execute rule level(default: LOW)'
|
||||
-u --utc 'Output time in UTC format(default: local time)'
|
||||
-d --directory=[DIRECTORY] 'Event log files directory'
|
||||
-s --statistics 'Prints statistics for event logs'
|
||||
-t --threadnum=[NUM] 'Thread number'
|
||||
--slack 'Slack notification'
|
||||
--credits 'Prints credits'";
|
||||
--contributors 'Prints the list of contributors'";
|
||||
App::new(&program)
|
||||
.about("hayabusa. Aiming to be the world's greatest Windows event log analysis tool!")
|
||||
.version("1.0.0")
|
||||
|
||||
+9
-4
@@ -49,8 +49,13 @@ fn main() {
|
||||
return;
|
||||
}
|
||||
analysis_files(evtx_files);
|
||||
} else if configs::CONFIG.read().unwrap().args.is_present("credits") {
|
||||
print_credits();
|
||||
} else if configs::CONFIG
|
||||
.read()
|
||||
.unwrap()
|
||||
.args
|
||||
.is_present("contributors")
|
||||
{
|
||||
print_contributors();
|
||||
return;
|
||||
}
|
||||
let analysis_end_time: DateTime<Utc> = Utc::now();
|
||||
@@ -92,8 +97,8 @@ fn collect_evtxfiles(dirpath: &str) -> Vec<PathBuf> {
|
||||
return ret;
|
||||
}
|
||||
|
||||
fn print_credits() {
|
||||
match fs::read_to_string("./credits.txt") {
|
||||
fn print_contributors() {
|
||||
match fs::read_to_string("./contributors.txt") {
|
||||
Ok(contents) => println!("{}", contents),
|
||||
Err(err) => {
|
||||
AlertMessage::alert(&mut std::io::stderr().lock(), format!("{}", err)).ok();
|
||||
|
||||
+5
-5
@@ -102,11 +102,11 @@ impl ParseYaml {
|
||||
// 指定されたレベルより低いルールは無視する
|
||||
let doc_level = &yaml_doc["level"]
|
||||
.as_str()
|
||||
.unwrap_or("INFO")
|
||||
.unwrap_or("LOW")
|
||||
.to_string()
|
||||
.to_uppercase();
|
||||
let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&1);
|
||||
let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&1);
|
||||
let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&2);
|
||||
let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&2);
|
||||
if doc_level_num < args_level_num {
|
||||
return Option::None;
|
||||
}
|
||||
@@ -161,12 +161,12 @@ mod tests {
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// no specifed "level" arguments value is adapted default level(INFO)
|
||||
/// no specifed "level" arguments value is adapted default level(LOW)
|
||||
fn test_default_level_read_yaml() {
|
||||
let mut yaml = yaml::ParseYaml::new();
|
||||
let path = Path::new("test_files/rules/level_yaml");
|
||||
yaml.read_dir(path.to_path_buf(), &"").unwrap();
|
||||
assert_eq!(yaml.files.len(), 5);
|
||||
assert_eq!(yaml.files.len(), 4);
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
||||
Reference in New Issue
Block a user