CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update: read messages from rules/**.toml

Browse Source
This commit is contained in:
itiB
2020-10-29 23:00:55 +09:00
parent c53b4b6f46
commit 1d8a9c19d2
8 changed files with 61 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.lock generated
View File

@@ -1191,6 +1191,7 @@ dependencies = [
"csv", "csv",
"evtx", "evtx",
"flate2", "flate2",
"lazy_static",
"quick-xml 0.17.2", "quick-xml 0.17.2",
"regex", "regex",
"serde", "serde",

1
Cargo.toml
View File

@@ -18,3 +18,4 @@ csv = "1.1"
base64 = "*" base64 = "*"
flate2 = "1.0" flate2 = "1.0"
toml = "0.5" toml = "0.5"
lazy_static = "1.4.0"

6
rules/deep_blue_cli/powershell/powershell4103.toml Normal file
View File

@@ -0,0 +1,6 @@
[rule]
severity = "high"
name = "4103"
messages = [
["4103", { ja = "パイプライン実行をしています", en = "Execute Pipeline" }]
]

6
rules/deep_blue_cli/powershell/powershell4104.toml Normal file
View File

@@ -0,0 +1,6 @@
[rule]
severity = "high"
name = "4104"
messages = [
["4104", { ja = "リモートコマンドを実行します", en = "Excute Remote Command" }]
]

9
src/detections/powershell.rs
View File

@@ -1,8 +1,8 @@
use crate::detections::utils; use crate::detections::utils;
use crate::models::event; use crate::models::event;
use crate::detections::print::MESSAGES;
use regex::Regex; use regex::Regex;
use std::collections::HashMap; use std::collections::HashMap;
extern crate csv;
pub struct PowerShell {} pub struct PowerShell {}
@@ -25,6 +25,10 @@ impl PowerShell {
if event_id != "4103" { if event_id != "4103" {
return; return;
} }
let message = MESSAGES.lock().unwrap();
println!("{}", message.return_message("4103"));
let default = String::from(""); let default = String::from("");
let commandline = event_data.get("ContextInfo").unwrap_or(&default); let commandline = event_data.get("ContextInfo").unwrap_or(&default);
@@ -48,6 +52,9 @@ impl PowerShell {
if event_id != "4104" { if event_id != "4104" {
return; return;
} }
let message = MESSAGES.lock().unwrap();
println!("{}", message.return_message("4104"));
let default = String::from(""); let default = String::from("");
let path = event_data.get("Path").unwrap().to_string(); let path = event_data.get("Path").unwrap().to_string();
if path == "".to_string() { if path == "".to_string() {

23
src/detections/print.rs
View File

@@ -1,18 +1,20 @@
extern crate lazy_static;
use crate::detections::configs::{get_lang, Lang}; use crate::detections::configs::{get_lang, Lang};
use std::collections::HashMap; use std::collections::HashMap;
use crate::models::rule::MessageText;
use lazy_static::lazy_static;
use std::fmt; use std::fmt;
use std::sync::Mutex;
#[derive(Debug)]
pub struct MessageText {
pub ja: String,
pub en: String,
}
#[derive(Debug)] #[derive(Debug)]
pub struct Message { pub struct Message {
map: HashMap<String, MessageText>, map: HashMap<String, MessageText>,
} }
lazy_static! {
pub static ref MESSAGES: Mutex<Message> = Mutex::new(Message::new());
}
impl Message { impl Message {
pub fn new() -> Self { pub fn new() -> Self {
let mut messages: HashMap<String, MessageText> = HashMap::new(); let mut messages: HashMap<String, MessageText> = HashMap::new();
@@ -33,7 +35,9 @@ impl Message {
/// メッセージを返す /// メッセージを返す
pub fn return_message(&self, message_num: &str) -> &MessageText { pub fn return_message(&self, message_num: &str) -> &MessageText {
self.map.get(message_num).unwrap_or(self.map.get("undefined").unwrap()) self.map
.get(message_num)
.unwrap_or(self.map.get("undefined").unwrap())
} }
} }
@@ -60,7 +64,10 @@ fn test_create_and_read_message() {
}, },
); );
let display = format!("{}", format_args!("{}", error_message.return_message("4103"))); let display = format!(
"{}",
format_args!("{}", error_message.return_message("4103"))
);
assert_eq!(display, "Execute pipeline") assert_eq!(display, "Execute pipeline")
} }

18
src/main.rs
View File

@@ -5,12 +5,28 @@ use quick_xml::de::DeError;
use std::{fs, path::PathBuf, process}; use std::{fs, path::PathBuf, process};
use yamato_event_analyzer::detections::configs; use yamato_event_analyzer::detections::configs;
use yamato_event_analyzer::detections::detection; use yamato_event_analyzer::detections::detection;
use yamato_event_analyzer::detections::print; use yamato_event_analyzer::detections::print::MESSAGES;
use yamato_event_analyzer::omikuji::Omikuji; use yamato_event_analyzer::omikuji::Omikuji;
use yamato_event_analyzer::toml; use yamato_event_analyzer::toml;
fn main() -> Result<(), DeError> { fn main() -> Result<(), DeError> {
configs::singleton(); configs::singleton();
let mut toml = toml::ParseToml::new();
&toml.read_dir("rules".to_string());
for rule in toml.rules {
match rule {
Ok(_rule) => {
let mut message = MESSAGES.lock().unwrap();
if let Some(messages) = _rule.rule.messages {
for (key, texts) in messages {
message.insert_message(key, texts);
}
}
}
Err(_) => (),
}
}
let filepath: String = configs::singleton() let filepath: String = configs::singleton()
.args .args

7
src/models/rule.rs
View File

@@ -5,6 +5,13 @@ use serde::Deserialize;
pub struct Rule { pub struct Rule {
pub severity: Option<String>, pub severity: Option<String>,
pub name: Option<String>, pub name: Option<String>,
pub messages: Option<Vec<(String, MessageText)>>,
}
#[derive(Debug, Deserialize)]
pub struct MessageText {
pub ja: String,
pub en: String,
} }
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]