under constructing

2020-11-21 15:04:28 +09:00
parent a794e011a9
commit 1abdbafb5a
13 changed files with 360 additions and 71 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -1,74 +1,78 @@
 extern crate csv;
-extern crate quick_xml;
+extern crate chrono;

-use crate::detections::application;
-use crate::detections::applocker;
-use crate::detections::common;
-use crate::detections::powershell;
-use crate::detections::security;
-use crate::detections::sysmon;
-use crate::detections::system;
-use crate::models::event;
+use crate::detections::rule;
+use crate::detections::rule::RuleNode;
+use crate::detections::print::{Message};
+use crate::yaml::ParseYaml;
+
+use chrono::{TimeZone, Utc};
 use evtx::EvtxParser;
-use quick_xml::de::DeError;
-use std::collections::BTreeMap;
+use serde_json::{Error, Value};
+
+const DIRPATH_RULES: &str = "rules";

 #[derive(Debug)]
 pub struct Detection {
-    timeline_list: BTreeMap<String, String>,
+    
 }

 impl Detection {
    pub fn new() -> Detection {
        Detection {
-            timeline_list: BTreeMap::new(),
        }
    }

-    pub fn start(&mut self, mut parser: EvtxParser<std::fs::File>) -> Result<(), DeError> {
-        let mut common: common::Common = common::Common::new();
-        let mut security = security::Security::new();
-        let mut system = system::System::new();
-        let mut application = application::Application::new();
-        let mut applocker = applocker::AppLocker::new();
-        let mut sysmon = sysmon::Sysmon::new();
-        let mut powershell = powershell::PowerShell::new();
-
-        for record in parser.records() {
-            match record {
-                Ok(r) => {
-                    let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
-                    let event_id = event.system.event_id.to_string();
-                    let channel = event.system.channel.to_string();
-                    let event_data = event.parse_event_data();
-
-                    &common.detection(&event.system, &event_data);
-                    if channel == "Security" {
-                        &security.detection(event_id, &event.system, &event.user_data, event_data);
-                    } else if channel == "System" {
-                        &system.detection(event_id, &event.system, event_data);
-                    } else if channel == "Application" {
-                        &application.detection(event_id, &event.system, event_data);
-                    } else if channel == "Microsoft-Windows-PowerShell/Operational" {
-                        &powershell.detection(event_id, &event.system, event_data);
-                    } else if channel == "Microsoft-Windows-Sysmon/Operational" {
-                        &sysmon.detection(event_id, &event.system, event_data);
-                    } else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" {
-                        &applocker.detection(event_id, &event.system, event_data);
-                    } else {
-                        //&other.detection();
-                    }
+    pub fn start(&mut self, mut parser: EvtxParser<std::fs::File>) {
+        // from .etvx to json
+        let event_records: Vec<Value> = parser
+            .records_json()
+            .filter_map(|result_record| {
+                if result_record.is_err() {
+                    eprintln!("{}", result_record.unwrap_err());
+                    return Option::None;
                }
-                Err(e) => eprintln!("{}", e),
-            }
+
+                //// refer https://rust-lang-nursery.github.io/rust-cookbook/encoding/complex.html
+                let result_json: Result<Value, Error> =
+                    serde_json::from_str(&result_record.unwrap().data);
+                if result_json.is_err() {
+                    eprintln!("{}", result_json.unwrap_err());
+                    return Option::None;
+                }
+                return result_json.ok();
+            })
+            .collect();
+
+        event_records.iter().for_each(|event_rec| {
+            println!("{}", event_rec["Event"]);
+        });
+
+        // load rule files
+        let mut rulefile_loader = ParseYaml::new();
+        let resutl_readdir = rulefile_loader.read_dir(DIRPATH_RULES);
+        if resutl_readdir.is_err() {
+            eprintln!("{}", resutl_readdir.unwrap_err());
+            return;
        }

-        ////////////////////////////
-        // 表示
-        ////////////////////////////
-        common.disp();
-        security.disp();
+        // parse rule files
+        let rules: Vec<RuleNode> = rulefile_loader
+            .files
+            .into_iter()
+            .map(|rule_file| rule::parse_rule(rule_file))
+            .collect();

-        return Ok(());
+        // selection rule files and collect log
+        let mut message = Message::new();
+        rules.iter().for_each(|rule| {
+            &event_records
+                .iter()
+                .filter(|event_record| rule.detection.select(event_record))
+                .for_each(|event_record| message.insert(Utc.ymd(1996, 2, 27).and_hms(1, 5, 1), event_record.to_string()));
+        });
+
+        // output message
+        message.debug();
    }
 }