CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' into 654-enhancement-output-to-json

Browse Source
This commit is contained in:
DastInDark
2022-08-23 23:02:15 +09:00
parent 16191d2824 d90f901696
commit 3134d0b272
7 changed files with 96 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG-Japanese.md
View File

@@ -9,10 +9,11 @@
**改善:**
- 結果概要に各レベルで検知した上位5つのルールを表示するようにした。 (#667) (@hitenkoku)
- 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku)
**バグ修正:**
- XXX
- ログオン情報の要約オプションを追加した場合に、Hayabusaがクラッシュしていたのを修正した。 (#674) (@hitenkoku)
## v1.5.1 [2022/08/20]

5
CHANGELOG.md
View File

@@ -8,11 +8,12 @@
**Enhancements:**
- Added top alerts to the results summary. (#667) (@hitenkoku)
- Added top alerts to results summary. (#667) (@hitenkoku)
- Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku)
**Bug Fixes:**
- XXX
- Hayabusa would crash with `-L` option (logon summary option). (#674) (@hitenkoku)
## v1.5.1 [2022/08/20]

1
README-Japanese.md
View File

@@ -393,6 +393,7 @@ OUTPUT:
DISPLAY-SETTINGS:
--no-color カラー出力を無効にする
--no-summary 結果概要を出力しない
-q, --quiet Quietモード: 起動バナーを表示しない
-v, --verbose 詳細な情報を出力する
-V, --visualize-timeline イベント頻度タイムラインを出力する

1
README.md
View File

@@ -385,6 +385,7 @@ OUTPUT:
DISPLAY-SETTINGS:
--no-color Disable color output
--no-summary Do not display result summary
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
-V, --visualize-timeline Output event frequency timeline

138
src/afterfact.rs
View File

@@ -366,77 +366,79 @@ fn emit_csv<W: std::io::Write>(
}
};
disp_wtr_buf.clear();
write_color_buffer(
&disp_wtr,
get_writable_color(Some(Color::Rgb(0, 255, 0))),
"Results Summary:",
true,
)
.ok();
if !configs::CONFIG.read().unwrap().args.no_summary {
disp_wtr_buf.clear();
write_color_buffer(
&disp_wtr,
get_writable_color(Some(Color::Rgb(0, 255, 0))),
"Results Summary:",
true,
)
.ok();
let terminal_width = match *TERM_SIZE {
Some((Width(w), _)) => w as usize,
None => 100,
};
println!();
if configs::CONFIG.read().unwrap().args.visualize_timeline {
_print_timeline_hist(timestamps, terminal_width, 3);
let terminal_width = match *TERM_SIZE {
Some((Width(w), _)) => w as usize,
None => 100,
};
println!();
if configs::CONFIG.read().unwrap().args.visualize_timeline {
_print_timeline_hist(timestamps, terminal_width, 3);
println!();
}
let reducted_record_cnt: u128 = all_record_cnt - detected_record_idset.len() as u128;
let reducted_percent = if all_record_cnt == 0 {
0 as f64
} else {
(reducted_record_cnt as f64) / (all_record_cnt as f64) * 100.0
};
write_color_buffer(
&disp_wtr,
get_writable_color(None),
&format!(
"Total events: {}",
all_record_cnt.to_formatted_string(&Locale::en)
),
true,
)
.ok();
write_color_buffer(
&disp_wtr,
get_writable_color(None),
&format!(
"Data reduction: {} events ({:.2}%)",
reducted_record_cnt.to_formatted_string(&Locale::en),
reducted_percent
),
true,
)
.ok();
println!();
_print_unique_results(
total_detect_counts_by_level,
"Total".to_string(),
"detections".to_string(),
&color_map,
);
println!();
_print_unique_results(
unique_detect_counts_by_level,
"Unique".to_string(),
"detections".to_string(),
&color_map,
);
println!();
_print_detection_summary_by_date(detect_counts_by_date_and_level, &color_map);
println!();
_print_detection_summary_by_computer(detect_counts_by_computer_and_level, &color_map);
println!();
_print_detection_summary_by_rule(detect_counts_by_rule_and_level, &color_map);
}
let reducted_record_cnt: u128 = all_record_cnt - detected_record_idset.len() as u128;
let reducted_percent = if all_record_cnt == 0 {
0 as f64
} else {
(reducted_record_cnt as f64) / (all_record_cnt as f64) * 100.0
};
write_color_buffer(
&disp_wtr,
get_writable_color(None),
&format!(
"Total events: {}",
all_record_cnt.to_formatted_string(&Locale::en)
),
true,
)
.ok();
write_color_buffer(
&disp_wtr,
get_writable_color(None),
&format!(
"Data reduction: {} events ({:.2}%)",
reducted_record_cnt.to_formatted_string(&Locale::en),
reducted_percent
),
true,
)
.ok();
println!();
_print_unique_results(
total_detect_counts_by_level,
"Total".to_string(),
"detections".to_string(),
&color_map,
);
println!();
_print_unique_results(
unique_detect_counts_by_level,
"Unique".to_string(),
"detections".to_string(),
&color_map,
);
println!();
_print_detection_summary_by_date(detect_counts_by_date_and_level, &color_map);
println!();
_print_detection_summary_by_computer(detect_counts_by_computer_and_level, &color_map);
println!();
_print_detection_summary_by_rule(detect_counts_by_rule_and_level, &color_map);
Ok(())
}

5
src/detections/configs.rs
View File

@@ -224,9 +224,14 @@ pub struct Config {
#[clap(help_heading = Some("OTHER-ACTIONS"), long = "set-default-profile", value_name = "PROFILE")]
pub set_default_profile: Option<String>,
/// Save the timeline in JSON format (ex: -j -o results.json)
#[clap(help_heading = Some("OUTPUT"), short = 'j', long = "json", requires = "output")]
pub json_timeline: bool,
/// Do not display result summary
#[clap(help_heading = Some("DISPLAY-SETTINGS"), long = "no-summary")]
pub no_summary: bool,
}
impl ConfigReader<'_> {

15
src/timeline/statistics.rs
View File

@@ -110,8 +110,21 @@ impl EventStatistics {
if evtid.is_none() {
continue;
}
let idnum: i64 = if evtid.unwrap().is_number() {
evtid.unwrap().as_i64().unwrap()
} else {
evtid
.unwrap()
.as_str()
.unwrap()
.parse::<i64>()
.unwrap_or_default()
};
if !(idnum == 4624 || idnum == 4625) {
continue;
}
let username = utils::get_event_value("TargetUserName", &record.record);
let idnum = evtid.unwrap().as_i64().unwrap();
let countlist: [usize; 2] = [0, 0];
if idnum == 4624 {
let count: &mut [usize; 2] = self