From 9ee89e20d51ed813aed81f8018760bbc5f58084f Mon Sep 17 00:00:00 2001 From: garigariganzy Date: Thu, 23 Jun 2022 01:20:18 +0900 Subject: [PATCH 1/7] WIP:statistics add channel #463 --- rules | 2 +- src/timeline/statistics.rs | 25 ++++++++++++++++++++++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/rules b/rules index 4d5b76a3..8c14d12b 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 4d5b76a37db4b2f225968c71fdce196564857cb7 +Subproject commit 8c14d12be3f2d08721eee6db7238058fdaca3ce6 diff --git a/src/timeline/statistics.rs b/src/timeline/statistics.rs index 3ae81b9a..d487a0a4 100644 --- a/src/timeline/statistics.rs +++ b/src/timeline/statistics.rs @@ -2,6 +2,18 @@ use crate::detections::print::{LOGONSUMMARY_FLAG, STATISTICS_FLAG}; use crate::detections::{detection::EvtxRecordInfo, utils}; use hashbrown::HashMap; +#[derive(Debug)] +pub struct LogEventInfo { + pub channel: String, + pub eventid: String, +} + +impl LogEventInfo { + pub fn new(channel: String, eventid: String) -> LogEventInfo { + LogEventInfo { channel, eventid } + } +} + #[derive(Debug)] pub struct EventStatistics { pub total: usize, @@ -92,13 +104,20 @@ impl EventStatistics { fn stats_eventid(&mut self, records: &[EvtxRecordInfo]) { // let mut evtstat_map = HashMap::new(); for record in records.iter() { + let channel = utils::get_event_value("Channel", &record.record); let evtid = utils::get_event_value("EventID", &record.record); + if channel.is_none() { + continue; + } if evtid.is_none() { continue; } - - let idnum = evtid.unwrap(); - let count: &mut usize = self.stats_list.entry(idnum.to_string()).or_insert(0); + let ch = channel.unwrap().to_string(); + let id = evtid.unwrap().to_string(); + let chandid = ch + "," + &id; + //let logdata = LogEventInfo::new(ch , id); + //println!("{:?},{:?}", logdata.channel, logdata.eventid); + let count: &mut usize = self.stats_list.entry(chandid).or_insert(0); *count += 1; } // return evtstat_map; From 991cb9db1740604460a63af1315d5451233e7ab2 Mon Sep 17 00:00:00 2001 From: garigariganzy Date: Thu, 8 Sep 2022 01:31:53 +0900 Subject: [PATCH 2/7] WIP:change to comfy_table #463 --- rules | 2 +- src/lib.rs | 2 -- src/timeline/timelines.rs | 10 +++++----- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/rules b/rules index 5364222c..ff5732fa 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 5364222c5459472d8ecbd46c49b482172be9d184 +Subproject commit ff5732fa1788b1c2281fdc3ccaa0dd0301b030d8 diff --git a/src/lib.rs b/src/lib.rs index 45a8b1e5..5faf0723 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -6,5 +6,3 @@ pub mod omikuji; pub mod options; pub mod timeline; pub mod yaml; -#[macro_use] -extern crate prettytable; diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index a0cad83a..a5fa1b19 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -1,6 +1,6 @@ use crate::detections::message::{LOGONSUMMARY_FLAG, STATISTICS_FLAG}; use crate::detections::{configs::CONFIG, detection::EvtxRecordInfo}; -use prettytable::{Cell, Row, Table}; +use comfy_table::*; use super::statistics::EventStatistics; use hashbrown::HashMap; @@ -142,7 +142,7 @@ impl Timeline { } } else { let mut logins_stats_tb = Table::new(); - logins_stats_tb.set_titles(row!["User", "Failed", "Successful"]); + logins_stats_tb.set_header(vec!["User", "Failed", "Successful"]); // 集計件数でソート let mut mapsorted: Vec<_> = self.stats.stats_login_list.iter().collect(); mapsorted.sort_by(|x, y| x.0.cmp(y.0)); @@ -153,13 +153,13 @@ impl Timeline { //key.to_string().pop(); username.pop(); username.remove(0); - logins_stats_tb.add_row(Row::new(vec![ + logins_stats_tb.add_row(vec![ Cell::new(&username), Cell::new(&values[1].to_string()), Cell::new(&values[0].to_string()), - ])); + ]); } - logins_stats_tb.printstd(); + println!("{logins_stats_tb}"); println!(); } } From 165106f76274144148b2061ca93abd17bcdd679f Mon Sep 17 00:00:00 2001 From: garigariganzy Date: Thu, 29 Sep 2022 22:52:15 +0900 Subject: [PATCH 3/7] WIP#463 --- rules | 2 +- src/timeline/metrics.rs | 7 ++-- src/timeline/timelines.rs | 68 +++++++++++++++++++-------------------- 3 files changed, 37 insertions(+), 40 deletions(-) diff --git a/rules b/rules index 2b0f88d1..aaf910cd 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 2b0f88d1c09b5b9979b99686a29a244993508210 +Subproject commit aaf910cdcaca32e89b0f81b0af4e180228d21eb6 diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs index 157de252..cf064b00 100644 --- a/src/timeline/metrics.rs +++ b/src/timeline/metrics.rs @@ -3,7 +3,6 @@ use crate::detections::{detection::EvtxRecordInfo, utils}; use hashbrown::HashMap; #[derive(Debug)] -<<<<<<< HEAD:src/timeline/statistics.rs pub struct LogEventInfo { pub channel: String, pub eventid: String, @@ -16,10 +15,7 @@ impl LogEventInfo { } #[derive(Debug)] -pub struct EventStatistics { -======= pub struct EventMetrics { ->>>>>>> ebe89905b51b332817d753847e22758d4b511d5c:src/timeline/metrics.rs pub total: usize, pub filepath: String, pub start_time: String, @@ -118,7 +114,8 @@ impl EventMetrics { } let ch = channel.unwrap().to_string(); let id = evtid.unwrap().to_string(); - let chandid = ch + "," + &id; + let mut chandid = ch + "," + &id; + chandid.retain(|c| c != '"'); //let logdata = LogEventInfo::new(ch , id); //println!("{:?},{:?}", logdata.channel, logdata.eventid); let count: &mut usize = self.stats_list.entry(chandid).or_insert(0); diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index 8870539d..aeaa0d12 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -46,22 +46,16 @@ impl Timeline { sammsges.push(format!("Total Event Records: {}\n", self.stats.total)); sammsges.push(format!("First Timestamp: {}", self.stats.start_time)); sammsges.push(format!("Last Timestamp: {}\n", self.stats.end_time)); - sammsges.push("Count (Percent)\tID\tEvent\t".to_string()); - sammsges.push("--------------- ------- ---------------".to_string()); // 集計件数でソート let mut mapsorted: Vec<_> = self.stats.stats_list.iter().collect(); mapsorted.sort_by(|x, y| y.1.cmp(x.1)); - // イベントID毎の出力メッセージ生成 - let stats_msges: Vec = self.tm_stats_set_msg(mapsorted); - for msgprint in sammsges.iter() { println!("{}", msgprint); } - for msgprint in stats_msges.iter() { - println!("{}", msgprint); - } + // イベントID毎の出力メッセージ生成 + self.tm_stats_set_msg(mapsorted); } pub fn tm_logon_stats_dsp_msg(&mut self) { @@ -84,13 +78,21 @@ impl Timeline { } // イベントID毎の出力メッセージ生成 - fn tm_stats_set_msg(&self, mapsorted: Vec<(&std::string::String, &usize)>) -> Vec { - let mut msges: Vec = Vec::new(); + fn tm_stats_set_msg(&self, mapsorted: Vec<(&std::string::String, &usize)>) { + let mut eid_metrics_tb = Table::new(); + eid_metrics_tb.set_header(vec!["Count", "Percent(%)", "channel,ID", "Eventtitle"]); for (event_id, event_cnt) in mapsorted.iter() { // 件数の割合を算出 let rate: f32 = **event_cnt as f32 / self.stats.total as f32; + // channelとIDを分割 + let ch_id = event_id.split(',').fold(Vec::new(), |mut s, i| { + s.push(i.to_string()); + s + }); + println!("{:?}", ch_id); + // イベント情報取得(eventtitleなど) let conf = CONFIG .read() @@ -100,34 +102,32 @@ impl Timeline { .is_some(); // event_id_info.txtに登録あるものは情報設定 if conf { - // 出力メッセージ1行作成 - msges.push(format!( - "{0} ({1:.1}%)\t{2}\t{3}", - event_cnt, - (rate * 1000.0).round() / 10.0, - event_id, - &CONFIG - .read() - .unwrap() - .event_timeline_config - .get_event_id(*event_id) - .unwrap() - .evttitle, - )); + eid_metrics_tb.add_row(vec![ + Cell::new(&event_cnt), + Cell::new(&rate), + Cell::new(&event_id), + Cell::new( + &CONFIG + .read() + .unwrap() + .event_timeline_config + .get_event_id(*event_id) + .unwrap() + .evttitle, + ), + ]); } else { // 出力メッセージ1行作成 - msges.push(format!( - "{0} ({1:.1}%)\t{2}\t{3}", - event_cnt, - (rate * 1000.0).round() / 10.0, - event_id, - "Unknown", - )); + eid_metrics_tb.add_row(vec![ + Cell::new(&event_cnt), + Cell::new(&rate), + Cell::new(&event_id), + Cell::new(&"Unknown".to_string()), + ]); } } - - msges.push("---------------------------------------".to_string()); - msges + println!("{eid_metrics_tb}"); + println!(); } // ユーザ毎のログイン統計情報出力メッセージ生成 fn tm_loginstats_tb_set_msg(&self) { From 4bb2cf1a899742707bcb2d4ff82fa2744c3ea4a4 Mon Sep 17 00:00:00 2001 From: garigariganzy Date: Tue, 4 Oct 2022 01:16:34 +0900 Subject: [PATCH 4/7] WIP#463 --- rules | 2 +- src/detections/configs.rs | 21 ++++++++++++--------- src/lib.rs | 3 --- src/timeline/timelines.rs | 14 +++++--------- 4 files changed, 18 insertions(+), 22 deletions(-) diff --git a/rules b/rules index 28c1de32..aaf910cd 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 28c1de3279a62f2bf9ae01327e0df0fe4fba443a +Subproject commit aaf910cdcaca32e89b0f81b0af4e180228d21eb6 diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 5a29b104..53207655 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -555,7 +555,7 @@ impl EventInfo { } #[derive(Debug, Clone)] pub struct EventInfoConfig { - eventinfo: HashMap, + eventinfo: HashMap<(String, String), EventInfo>, } impl Default for EventInfoConfig { @@ -570,8 +570,9 @@ impl EventInfoConfig { eventinfo: HashMap::new(), } } - pub fn get_event_id(&self, eventid: &str) -> Option<&EventInfo> { - self.eventinfo.get(eventid) + pub fn get_event_id(&self, channel: &str, eventid: &str) -> Option<&EventInfo> { + self.eventinfo + .get(&(channel.to_string(), eventid.to_string())) } } @@ -586,19 +587,21 @@ fn load_eventcode_info(path: &str) -> EventInfoConfig { // event_id_info.txtが読み込めなかったらエラーで終了とする。 read_result.unwrap().into_iter().for_each(|line| { - if line.len() != 2 { + if line.len() != 3 { return; } let empty = &"".to_string(); - let eventcode = line.get(0).unwrap_or(empty); - let event_title = line.get(1).unwrap_or(empty); + let channel = line.get(0).unwrap_or(empty); + let eventcode = line.get(1).unwrap_or(empty); + let event_title = line.get(2).unwrap_or(empty); infodata = EventInfo { evttitle: event_title.to_string(), }; - config - .eventinfo - .insert(eventcode.to_owned(), infodata.to_owned()); + config.eventinfo.insert( + (channel.to_owned(), eventcode.to_owned()), + infodata.to_owned(), + ); }); config } diff --git a/src/lib.rs b/src/lib.rs index c8f62192..655018ce 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -6,8 +6,5 @@ pub mod omikuji; pub mod options; pub mod timeline; pub mod yaml; -<<<<<<< HEAD -======= #[macro_use] extern crate horrorshow; ->>>>>>> d91fd31392813c79a33cf5dc10eae06db2ce2613 diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index 697566f0..5f0b4cbb 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -139,23 +139,19 @@ impl Timeline { // 件数の割合を算出 let rate: f32 = **event_cnt as f32 / self.stats.total as f32; - // channelとIDを分割 - let ch_id = event_id.split(',').fold(Vec::new(), |mut s, i| { - s.push(i.to_string()); - s - }); - println!("{:?}", ch_id); + let fmted_channel = channel.replace('\"', ""); + println!("{:?}", fmted_channel); + println!("{:?}", event_id); // イベント情報取得(eventtitleなど) let conf = CONFIG .read() .unwrap() .event_timeline_config - .get_event_id(event_id) + .get_event_id(&fmted_channel, event_id) .is_some(); // event_id_info.txtに登録あるものは情報設定 // 出力メッセージ1行作成 - let fmted_channel = channel.replace('\"', ""); let ch = CH_CONFIG .get(fmted_channel.to_lowercase().as_str()) .unwrap_or(&fmted_channel) @@ -170,7 +166,7 @@ impl Timeline { .read() .unwrap() .event_timeline_config - .get_event_id(event_id) + .get_event_id(&fmted_channel, event_id) .unwrap() .evttitle .to_string(), From e4c52f386f8f3a03f3cea2c4e166990064fe2fff Mon Sep 17 00:00:00 2001 From: garigariganzy Date: Wed, 5 Oct 2022 00:49:24 +0900 Subject: [PATCH 5/7] Check channel_eid_info #463 --- rules | 2 +- src/detections/configs.rs | 4 ++-- src/timeline/timelines.rs | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/rules b/rules index aaf910cd..cab56600 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit aaf910cdcaca32e89b0f81b0af4e180228d21eb6 +Subproject commit cab56600cbefa68aa1190b10fe2fd88191fe3dab diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 53207655..62258044 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -269,11 +269,11 @@ impl ConfigReader<'_> { args: parse.clone(), headless_help: String::default(), event_timeline_config: load_eventcode_info( - utils::check_setting_path(&parse.config, "event_id_info.txt", false) + utils::check_setting_path(&parse.config, "channel_eid_info.txt", false) .unwrap_or_else(|| { utils::check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), - "rules/config/event_id_info.txt", + "rules/config/channel_eid_info.txt", true, ) .unwrap() diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index 5f0b4cbb..3532ce50 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -140,8 +140,6 @@ impl Timeline { let rate: f32 = **event_cnt as f32 / self.stats.total as f32; let fmted_channel = channel.replace('\"', ""); - println!("{:?}", fmted_channel); - println!("{:?}", event_id); // イベント情報取得(eventtitleなど) let conf = CONFIG From 1aa0d75d51b52b8c78601647f3b999301ed3175c Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 5 Oct 2022 06:58:15 +0900 Subject: [PATCH 6/7] update hayabusa version and changelog --- CHANGELOG-Japanese.md | 6 ++++++ CHANGELOG.md | 6 ++++++ Cargo.lock | 34 ++++++++++++++++------------------ Cargo.toml | 2 +- rules | 2 +- 5 files changed, 30 insertions(+), 20 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 2b526423..f3638a7d 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,5 +1,11 @@ # 変更点 +## 1.7.1 [2022/xx/xx] + +**バグ修正:** + +- より正確な結果を出力するために、チャンネルとEIDの情報を`rules/config/channel_eid_info.txt`に基づいてチェックするようにした。 (#463) (@garigariganzy) + ## 1.7.0 [2022/09/29] **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dc700d0..b640a2fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changes +## 1.7.1 [2022/xx/xx] + +**Bug Fixes:** + +- Hayabusa now check Channel and EID information based on `rules/config/channel_eid_info.txt` to provide more accurate results. (#463) (@garigariganzy) + ## 1.7.0 [2022/09/29] **New Features:** diff --git a/Cargo.lock b/Cargo.lock index bbb0e316..d770bfea 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -310,26 +310,24 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.10" +version = "0.9.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "045ebe27666471bb549370b4b0b3e51b07f56325befa4284db65fc89c02511b1" +checksum = "f916dfc5d356b0ed9dae65f1db9fc9770aa2851d2662b988ccf4fe3516e86348" dependencies = [ "autocfg", "cfg-if", "crossbeam-utils", "memoffset", - "once_cell", "scopeguard", ] [[package]] name = "crossbeam-utils" -version = "0.8.11" +version = "0.8.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51887d4adc7b564537b15adcfb307936f8075dfcd5f00dde9a9f1d29383682bc" +checksum = "edbafec5fa1f196ca66527c1b12c2ec4745ca14b50f1ad8f9f6f720b55d11fac" dependencies = [ "cfg-if", - "once_cell", ] [[package]] @@ -746,7 +744,7 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.7.0" +version = "1.7.1-dev" dependencies = [ "base64", "bytesize", @@ -999,9 +997,9 @@ checksum = "6c8af84674fe1f223a982c933a0ee1086ac4d4052aa0fb8060c12c6ad838e754" [[package]] name = "jemalloc-sys" -version = "0.5.1+5.3.0-patched" +version = "0.5.2+5.3.0-patched" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7c2b313609b95939cb0c5a5c6917fb9b7c9394562aa3ef44eb66ffa51736432" +checksum = "134163979b6eed9564c98637b710b40979939ba351f59952708234ea11b5f3f8" dependencies = [ "cc", "fs_extra", @@ -1063,9 +1061,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.133" +version = "0.2.134" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0f80d65747a3e43d1596c7c5492d95d5edddaabd45a7fcdb02b95f644164966" +checksum = "329c933548736bc49fd575ee68c89e8be4d260064184389a5b77517cddd99ffb" [[package]] name = "libgit2-sys" @@ -1436,9 +1434,9 @@ checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5" [[package]] name = "proc-macro2" -version = "1.0.45" +version = "1.0.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3edcd08cf4fea98d1ae6c9ddd3b8ccb1acac7c3693d62625969a7daa04a2ae36" +checksum = "94e2ef8dbfc347b10c094890f778ee2e36ca9bb4262e86dc99cd217e35f3470b" dependencies = [ "unicode-ident", ] @@ -1834,7 +1832,7 @@ checksum = "48dfff04aade74dd495b007c831cd6f4e0cee19c344dd9dc0884c0289b70a786" dependencies = [ "log", "termcolor", - "time 0.3.14", + "time 0.3.15", ] [[package]] @@ -1863,9 +1861,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2fd0db749597d91ff862fd1d55ea87f7855a744a8425a64695b6fca237d1dad1" +checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0" [[package]] name = "socket2" @@ -2074,9 +2072,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.14" +version = "0.3.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c3f9a28b618c3a6b9251b6908e9c99e04b9e5c02e6581ccbb67d59c34ef7f9b" +checksum = "d634a985c4d4238ec39cacaed2e7ae552fbd3c476b552c1deac3021b7d7eaf0c" dependencies = [ "itoa 1.0.3", "libc", diff --git a/Cargo.toml b/Cargo.toml index 0df35519..94088995 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.7.0" +version = "1.7.1-dev" authors = ["Yamato Security @SecurityYamato"] edition = "2021" diff --git a/rules b/rules index cab56600..a8c20083 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit cab56600cbefa68aa1190b10fe2fd88191fe3dab +Subproject commit a8c200833146142246d72087438aa51ca6857185 From da3ae2e6509e87d1694ec8a2db9a07773e6e0fea Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 5 Oct 2022 07:01:12 +0900 Subject: [PATCH 7/7] fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b640a2fe..f7dc5318 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **Bug Fixes:** -- Hayabusa now check Channel and EID information based on `rules/config/channel_eid_info.txt` to provide more accurate results. (#463) (@garigariganzy) +- Hayabusa now checks Channel and EID information based on `rules/config/channel_eid_info.txt` to provide more accurate results. (#463) (@garigariganzy) ## 1.7.0 [2022/09/29]