From 5b3773b1928fe78f63798f51feed7f151216de40 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 21 Aug 2022 11:29:19 +0900 Subject: [PATCH 1/7] added --no-summary option to do not display result summary #672 --- src/afterfact.rs | 138 +++++++++++++++++++------------------- src/detections/configs.rs | 4 ++ 2 files changed, 74 insertions(+), 68 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 8c072e29..5ccf2725 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -326,77 +326,79 @@ fn emit_csv( } }; - disp_wtr_buf.clear(); - write_color_buffer( - &disp_wtr, - get_writable_color(Some(Color::Rgb(0, 255, 0))), - "Results Summary:", - true, - ) - .ok(); + if !configs::CONFIG.read().unwrap().args.no_summary { + disp_wtr_buf.clear(); + write_color_buffer( + &disp_wtr, + get_writable_color(Some(Color::Rgb(0, 255, 0))), + "Results Summary:", + true, + ) + .ok(); - let terminal_width = match *TERM_SIZE { - Some((Width(w), _)) => w as usize, - None => 100, - }; - println!(); - - if configs::CONFIG.read().unwrap().args.visualize_timeline { - _print_timeline_hist(timestamps, terminal_width, 3); + let terminal_width = match *TERM_SIZE { + Some((Width(w), _)) => w as usize, + None => 100, + }; println!(); + + if configs::CONFIG.read().unwrap().args.visualize_timeline { + _print_timeline_hist(timestamps, terminal_width, 3); + println!(); + } + let reducted_record_cnt: u128 = all_record_cnt - detected_record_idset.len() as u128; + let reducted_percent = if all_record_cnt == 0 { + 0 as f64 + } else { + (reducted_record_cnt as f64) / (all_record_cnt as f64) * 100.0 + }; + write_color_buffer( + &disp_wtr, + get_writable_color(None), + &format!( + "Total events: {}", + all_record_cnt.to_formatted_string(&Locale::en) + ), + true, + ) + .ok(); + write_color_buffer( + &disp_wtr, + get_writable_color(None), + &format!( + "Data reduction: {} events ({:.2}%)", + reducted_record_cnt.to_formatted_string(&Locale::en), + reducted_percent + ), + true, + ) + .ok(); + println!(); + + _print_unique_results( + total_detect_counts_by_level, + "Total".to_string(), + "detections".to_string(), + &color_map, + ); + println!(); + + _print_unique_results( + unique_detect_counts_by_level, + "Unique".to_string(), + "detections".to_string(), + &color_map, + ); + println!(); + + _print_detection_summary_by_date(detect_counts_by_date_and_level, &color_map); + println!(); + + _print_detection_summary_by_computer(detect_counts_by_computer_and_level, &color_map); + println!(); + + _print_detection_summary_by_rule(detect_counts_by_rule_and_level, &color_map); } - let reducted_record_cnt: u128 = all_record_cnt - detected_record_idset.len() as u128; - let reducted_percent = if all_record_cnt == 0 { - 0 as f64 - } else { - (reducted_record_cnt as f64) / (all_record_cnt as f64) * 100.0 - }; - write_color_buffer( - &disp_wtr, - get_writable_color(None), - &format!( - "Total events: {}", - all_record_cnt.to_formatted_string(&Locale::en) - ), - true, - ) - .ok(); - write_color_buffer( - &disp_wtr, - get_writable_color(None), - &format!( - "Data reduction: {} events ({:.2}%)", - reducted_record_cnt.to_formatted_string(&Locale::en), - reducted_percent - ), - true, - ) - .ok(); - println!(); - - _print_unique_results( - total_detect_counts_by_level, - "Total".to_string(), - "detections".to_string(), - &color_map, - ); - println!(); - - _print_unique_results( - unique_detect_counts_by_level, - "Unique".to_string(), - "detections".to_string(), - &color_map, - ); - println!(); - - _print_detection_summary_by_date(detect_counts_by_date_and_level, &color_map); - println!(); - - _print_detection_summary_by_computer(detect_counts_by_computer_and_level, &color_map); - println!(); - - _print_detection_summary_by_rule(detect_counts_by_rule_and_level, &color_map); Ok(()) } diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 80a6d322..feda62a4 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -223,6 +223,10 @@ pub struct Config { /// Set default output profile #[clap(help_heading = Some("OTHER-ACTIONS"), long = "set-default-profile", value_name = "PROFILE")] pub set_default_profile: Option, + + /// Do not display result summary + #[clap(help_heading = Some("DISPLAY-SETTINGS"), long = "no-summary")] + pub no_summary: bool, } impl ConfigReader<'_> { From 7a4ceeff56f7bd5b1c21d243d39130c86517a147 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 21 Aug 2022 11:30:09 +0900 Subject: [PATCH 2/7] updated changelog #672 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 2dd03c60..43c343a0 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -9,6 +9,7 @@ **改善:** - 結果概要に各レベルで検知した上位5つのルールを表示するようにした。 (#667) (@hitenkoku) +- 結果概要を出力しないようにするために `--no-summary` オプションを追加した。 (#672) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index ecd86482..af2f1464 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ **Enhancements:** - Added top alert rules to results summary. (#667) (@hitenkoku) +- Added `--no-summary` option to do not display summary. (#672) (@hitenkoku) **Bug Fixes:** From 21e1ab42e9fc1fb49769e79fa1f1c57804bf67d2 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 21 Aug 2022 11:32:42 +0900 Subject: [PATCH 3/7] updated usage in readme #672 --- README-Japanese.md | 1 + README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README-Japanese.md b/README-Japanese.md index e2303233..f3f19cb7 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -392,6 +392,7 @@ OUTPUT: DISPLAY-SETTINGS: --no-color カラー出力を無効にする + --no-summary 結果概要を出力しない -q, --quiet Quietモード: 起動バナーを表示しない -v, --verbose 詳細な情報を出力する -V, --visualize-timeline イベント頻度タイムラインを出力する diff --git a/README.md b/README.md index 2a6c529d..2f2231c1 100644 --- a/README.md +++ b/README.md @@ -384,6 +384,7 @@ OUTPUT: DISPLAY-SETTINGS: --no-color Disable color output + --no-summary Do not display result summary -q, --quiet Quiet mode: do not display the launch banner -v, --verbose Output verbose information -V, --visualize-timeline Output event frequency timeline From a781b278bdfc7c015eb16572326759ae71c3de14 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 22 Aug 2022 08:51:10 +0900 Subject: [PATCH 4/7] update changelog wording --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af2f1464..219e4a23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,8 @@ **Enhancements:** -- Added top alert rules to results summary. (#667) (@hitenkoku) -- Added `--no-summary` option to do not display summary. (#672) (@hitenkoku) +- Added top alerts to results summary. (#667) (@hitenkoku) +- Added `--no-summary` option not display the results summary. (#672) (@hitenkoku) **Bug Fixes:** From 9e8cd321a420bb44d0d65d35fb5c956dcc0bcc27 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 22 Aug 2022 08:52:12 +0900 Subject: [PATCH 5/7] changelog typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 219e4a23..00cae0f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ **Enhancements:** - Added top alerts to results summary. (#667) (@hitenkoku) -- Added `--no-summary` option not display the results summary. (#672) (@hitenkoku) +- Added `--no-summary` option to not display the results summary. (#672) (@hitenkoku) **Bug Fixes:** From d774c90ee01ba8f52e0b344bad6912cdb9e62b96 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 22 Aug 2022 18:04:22 +0900 Subject: [PATCH 6/7] fixed crash in event id value is string case #674 --- src/timeline/statistics.rs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/timeline/statistics.rs b/src/timeline/statistics.rs index f2debc94..6e6982e1 100644 --- a/src/timeline/statistics.rs +++ b/src/timeline/statistics.rs @@ -110,8 +110,21 @@ impl EventStatistics { if evtid.is_none() { continue; } + let idnum: i64 = if evtid.unwrap().is_number() { + evtid.unwrap().as_i64().unwrap() + } else { + evtid + .unwrap() + .as_str() + .unwrap() + .parse::() + .unwrap_or_default() + }; + if !(idnum == 4624 || idnum == 4625) { + continue; + } + let username = utils::get_event_value("TargetUserName", &record.record); - let idnum = evtid.unwrap().as_i64().unwrap(); let countlist: [usize; 2] = [0, 0]; if idnum == 4624 { let count: &mut [usize; 2] = self From 168d976377cef7bd55eb8030ef01a2679f92407f Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 22 Aug 2022 18:08:42 +0900 Subject: [PATCH 7/7] updated changelog #674 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 43c343a0..93d007f2 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -13,7 +13,7 @@ **バグ修正:** -- XXX +- ログオン情報の要約オプションを追加した場合に、Hayabusaがクラッシュしていたのを修正した。 (#674) (@hitenkoku) ## v1.5.1 [2022/08/20] diff --git a/CHANGELOG.md b/CHANGELOG.md index 00cae0f8..e29f2e03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ **Bug Fixes:** -- XXX +- Hayabusa would crash with `-L` option (logon summary option). (#674) (@hitenkoku) ## v1.5.1 [2022/08/20]