Merge branch 'feature/sysmon2' of https://github.com/YamatoSecurity/YamatoEventAnalyzer into feature/sysmon2

2020-10-25 03:11:11 +09:00
parent b83fc1c5f5 71e2ba0309
commit 27c20707e6
1 changed files with 28 additions and 25 deletions
--- a/src/detections/sysmon.rs
+++ b/src/detections/sysmon.rs
@@ -1,6 +1,8 @@
 use crate::detections::utils::check_command;
 use crate::models::event;
 use std::collections::HashMap;
+use std::fs::File;
+use std::io::prelude::*;

 pub struct Sysmon {
    empty_str: String,
@@ -38,8 +40,17 @@ impl Sysmon {
            }
            println!("Log     : Sysmon");
            let minlength = 1000;
-            let _creater = event_data.get("ParentImage").unwrap_or(&self.empty_str);
+            //let mut f = File::open("whitelist.txt").expect("file not found");
+            //let mut contents = String::new();
+            //f.read_to_string(&mut contents);
+            //let rdr = csv::Reader::from_reader(contents.as_bytes());
+            if let Some(_creater) = event_data.get("ParentImage") {
+                //check_command(1, _command_line, minlength, 0, "", _creater, rdr);
                check_command(1, _command_line, minlength, 0, "", _creater);
+            } else {
+                //check_command(1, _command_line, minlength, 0, "", "", rdr);
+                check_command(1, _command_line, minlength, 0, "", "");
+            }
        }
    }

@@ -56,30 +67,22 @@ impl Sysmon {
        // This can be very chatty, so it's disabled.
        // Set $checkunsigned to 1 (global variable section) to enable:
        if self.checkunsigned == 1 {
-            let _signed = event_data.get("Signed").unwrap_or(&self.empty_str);
+            if let Some(_signed) = event_data.get("Signed") {
                if _signed == "false" {
-                let _date = event_data.get("UtcTime").unwrap_or(&self.empty_str);
+                    if let Some(_date) = event_data.get("UtcTime") {
                        println!("Date    : {} (UTC)", _date);
+                    }
                    println!("Log     : Sysmon");
                    println!("EventID : 7");
                    println!("Message : Unsigned Image (DLL)");
-                let _image = event_data.get("Image").unwrap_or(&self.empty_str);
+                    if let Some(_image) = event_data.get("Image") {
                        println!("Result  : Loaded by: {}", _image);
-                let _command_line = event_data.get("ImageLoaded").unwrap_or(&self.empty_str);
+                    }
+                    if let Some(_command_line) = event_data.get("ImageLoaded") {
                        println!("Command : {}", _command_line);
                    }
                }
            }
-}
-
-#[cfg(test)]
-mod tests {
-    extern crate quick_xml;
-    use crate::detections::sysmon;
-    use crate::models::event;
-
-    #[test]
-    fn test_skelton_hit() {
-        assert_eq!(1, 1);
+        }
    }
 }