From a5a055d75cfc3f56c88ab409c69d712c63aa5105 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 8 Aug 2022 23:40:57 +0900 Subject: [PATCH 1/6] Changed previous codename --- src/detections/rule/matchers.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 27d98c69..c881aa32 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -218,7 +218,7 @@ impl DefaultMatcher { }); } - /// YEAのルールファイルのフィールド名とそれに続いて指定されるパイプを、正規表現形式の文字列に変換します。 + /// Hayabusaのルールファイルのフィールド名とそれに続いて指定されるパイプを、正規表現形式の文字列に変換します。 /// ワイルドカードの文字列を正規表現にする処理もこのメソッドに実装されています。patternにワイルドカードの文字列を指定して、pipesにPipeElement::Wildcardを指定すればOK!! fn from_pattern_to_regex_str(pattern: String, pipes: &[PipeElement]) -> String { // パターンをPipeで処理する。 From d6443ae14455a3e15fec501daa8455df3199dddb Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 10 Aug 2022 00:44:05 +0900 Subject: [PATCH 2/6] added exist check when rule value is null #643 --- src/detections/rule/matchers.rs | 73 +++++++++++++++++++++++++++++++-- 1 file changed, 70 insertions(+), 3 deletions(-) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index c881aa32..cef96ee5 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -346,14 +346,18 @@ impl LeafMatcher for DefaultMatcher { return false; } - if event_value.is_none() { + // yamlにnullが設定されていた場合 + if self.re.is_none() { + for v in self.key_list.iter() { + if recinfo.get_value(v).is_none() {return true;} + } return false; - } + } let event_value_str = event_value.unwrap(); if self.key_list.is_empty() { // この場合ただのgrep検索なので、ただ正規表現に一致するかどうか調べればよいだけ - return self.re.as_ref().unwrap().is_match(event_value_str); + self.re.as_ref().unwrap().is_match(event_value_str) } else { // 通常の検索はこっち self.is_regex_fullmatch(event_value_str) @@ -1984,4 +1988,67 @@ mod tests { } } } + + #[test] + fn test_eq_field_null() { + // 値でnullであった場合に対象のフィールドが存在しないことを確認 + let rule_str = r#" + enabled: true + detection: + selection: + Channel: + value: Security + Takoyaki: + value: null + details: 'command=%CommandLine%' + "#; + + let record_json_str = r#" + { + "Event": {"System": {"EventID": 4103, "Channel": "Security", "Computer": "Powershell" }}, + "Event_attributes": {"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"} + }"#; + + let mut rule_node = parse_rule_from_str(rule_str); + match serde_json::from_str(record_json_str) { + Ok(record) => { + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); + assert!(rule_node.select(&recinfo)); + } + Err(_) => { + panic!("Failed to parse json record."); + } + } + } + #[test] + fn test_eq_field_null_not_detect() { + // 値でnullであった場合に対象のフィールドが存在しないことを確認するテスト + let rule_str = r#" + enabled: true + detection: + selection: + EventID: null + details: 'command=%CommandLine%' + "#; + + let record_json_str = r#"{ + "Event": {"System": {"EventID": 4103, "Channel": "Security", "Computer": "Powershell"}}, + "Event_attributes": {"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"} + }"#; + + let mut rule_node = parse_rule_from_str(rule_str); + match serde_json::from_str(record_json_str) { + Ok(record) => { + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); + println!("test :: keys {:?} | recinfo {:?}\n", keys, recinfo.record["Takoyaki"]); + assert!(!rule_node.select(&recinfo)); + } + Err(e) => { + panic!("Failed to parse json record.{:?}", e ); + } + } + } + } From 506b2ce283ab0dff6a996e741a3fc07f10fe22bc Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 10 Aug 2022 00:45:49 +0900 Subject: [PATCH 3/6] cargo fmt --- src/detections/rule/matchers.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index cef96ee5..074986c0 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -349,10 +349,12 @@ impl LeafMatcher for DefaultMatcher { // yamlにnullが設定されていた場合 if self.re.is_none() { for v in self.key_list.iter() { - if recinfo.get_value(v).is_none() {return true;} + if recinfo.get_value(v).is_none() { + return true; + } } return false; - } + } let event_value_str = event_value.unwrap(); if self.key_list.is_empty() { @@ -2042,13 +2044,11 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - println!("test :: keys {:?} | recinfo {:?}\n", keys, recinfo.record["Takoyaki"]); assert!(!rule_node.select(&recinfo)); } Err(e) => { - panic!("Failed to parse json record.{:?}", e ); + panic!("Failed to parse json record.{:?}", e); } } } - } From 67525f0b8284c0884a46a1cc9318d8fcc940ab34 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 10 Aug 2022 00:54:11 +0900 Subject: [PATCH 4/6] updated changelog #643 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index b79fafdc..d21e3709 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **新機能:** - `config/profiles.yaml`と`config/default_profile.yaml`の設定ファイルで、出力内容をカスタマイズできる。 (#165) (@hitenkoku) +- 対象のフィールドがレコード内に存在しないことを確認する `null` キーワードに対応した。 (#643) (@hitenkoku) **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index f27030c9..2dffc9a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,8 @@ **New Features:** -- Customizable output of fields defined at `config/profiles.yaml` and `config/default_profile.yaml` (#165) (@hitenkoku) +- Customizable output of fields defined at `config/profiles.yaml` and `config/default_profile.yaml`. (#165) (@hitenkoku) +- Implemented `null` keyword in rule. This paramter is used to check target field is not exist in record. (#643) (@hitenkoku) **Enhancements:** From 7b4f2f3717a204043a40e158371c3183f2aa4245 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Wed, 10 Aug 2022 01:06:39 +0900 Subject: [PATCH 5/6] reverted removed event_value none check --- src/detections/rule/matchers.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 074986c0..8dc94bc1 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -348,6 +348,7 @@ impl LeafMatcher for DefaultMatcher { // yamlにnullが設定されていた場合 if self.re.is_none() { + // レコード内に対象のフィールドが存在しなければ検知したものとして扱う for v in self.key_list.iter() { if recinfo.get_value(v).is_none() { return true; @@ -356,6 +357,10 @@ impl LeafMatcher for DefaultMatcher { return false; } + if event_value.is_none() { + return false; + } + let event_value_str = event_value.unwrap(); if self.key_list.is_empty() { // この場合ただのgrep検索なので、ただ正規表現に一致するかどうか調べればよいだけ From 86c3770b5a07a97438acf9076350cc42299ded30 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 10 Aug 2022 10:29:21 +0900 Subject: [PATCH 6/6] updated changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3a72e40..a14081c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,13 +5,13 @@ **New Features:** - Customizable output of fields defined at `config/profiles.yaml` and `config/default_profile.yaml`. (#165) (@hitenkoku) -- Implemented `null` keyword in rule. This paramter is used to check target field is not exist in record. (#643) (@hitenkoku) +- Implemented the `null` keyword for rule detection. It is used to check if a target field exists or not. (#643) (@hitenkoku) **Enhancements:** - Removed ./ from rule path when updating. (#642) (@hitenkoku) - Added new output alias for MITRE ATT&CK tags and other tags. (#637) (@hitenkoku) -- Changed output summary numbers from without commas to with commas. (#649) (@hitenkoku) +- Added commas to summary numbers to make them easier to read. (#649) (@hitenkoku) **Bug Fixes:**