CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed error

Browse Source
This commit is contained in:
DustInDark
2021-12-22 14:56:10 +09:00
parent 8876fc5f65
commit 3412434d99
7 changed files with 65 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
contributors.txt
View File

@@ -1,7 +1,6 @@
Hayabusa was possible thanks to the following people (in alphabetical order): Hayabusa was possible thanks to the following people (in alphabetical order):
Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc... Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc...
DustInDark(@hitenkoku): Core Developer
Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc... Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc...
ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc... ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc...
James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, sigma count implementation etc… James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, sigma count implementation etc…
@@ -14,7 +13,6 @@ Hayabusa would not have been possible without first creating RustyBlue, so we wo
Zach Mathis (@yamatosecurity, Yamato Security Founder): Project Leader Zach Mathis (@yamatosecurity, Yamato Security Founder): Project Leader
Nishikawa Akira (@nishikawaakira): Lead Developer Nishikawa Akira (@nishikawaakira): Lead Developer
DustInDark (@hitenkoku): Core Developer
kazuminn (@k47_um1n): Core Developer kazuminn (@k47_um1n): Core Developer
itiB (@itiB_S144): Core Developer itiB (@itiB_S144): Core Developer
James Takai / hachiyone (@hach1yon): Core Developer James Takai / hachiyone (@hach1yon): Core Developer

0
logs/.gitkeep
View File

19
src/detections/detection.rs
View File

@@ -2,7 +2,7 @@ extern crate csv;
use crate::detections::configs; use crate::detections::configs;
use crate::detections::print::AlertMessage; use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_PATH; use crate::detections::print::ERROR_LOG_STACK;
use crate::detections::print::MESSAGES; use crate::detections::print::MESSAGES;
use crate::detections::print::QUIET_ERRORS_FLAG; use crate::detections::print::QUIET_ERRORS_FLAG;
use crate::detections::rule; use crate::detections::rule;
@@ -14,7 +14,6 @@ use crate::yaml::ParseYaml;
use hashbrown; use hashbrown;
use serde_json::Value; use serde_json::Value;
use std::collections::HashMap; use std::collections::HashMap;
use std::fs::OpenOptions;
use std::io::BufWriter; use std::io::BufWriter;
use std::sync::Arc; use std::sync::Arc;
use tokio::{runtime::Runtime, spawn, task::JoinHandle}; use tokio::{runtime::Runtime, spawn, task::JoinHandle};
@@ -66,16 +65,10 @@ impl Detection {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok(); AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::alert( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[ERROR] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)
.ok();
} }
return vec![]; return vec![];
} }
@@ -93,7 +86,7 @@ impl Detection {
AlertMessage::warn(&mut std::io::stdout().lock(), &errmsg_body).ok(); AlertMessage::warn(&mut std::io::stdout().lock(), &errmsg_body).ok();
err_msgs.iter().for_each(|err_msg| { err_msgs.iter().for_each(|err_msg| {
AlertMessage::warn(&mut std::io::stdout().lock(), &err_msg.to_string()).ok(); AlertMessage::warn(&mut std::io::stdout().lock(), err_msg).ok();
}); });
parseerror_count += 1; parseerror_count += 1;
println!(""); // 一行開けるためのprintln println!(""); // 一行開けるためのprintln

29
src/detections/print.rs
View File

@@ -46,6 +46,7 @@ lazy_static! {
.unwrap() .unwrap()
.args .args
.is_present("quiet-errors"); .is_present("quiet-errors");
pub static ref ERROR_LOG_STACK: Mutex<Vec<String>> = Mutex::new(Vec::new());
} }
impl Message { impl Message {
@@ -203,10 +204,9 @@ impl AlertMessage {
if !path.parent().unwrap().exists() { if !path.parent().unwrap().exists() {
create_dir(path.parent().unwrap()).ok(); create_dir(path.parent().unwrap()).ok();
} }
// 1行目は必ず実行したコマンド情報を入れておく。 let mut error_log_writer = BufWriter::new(File::create(path).unwrap());
let mut ret = BufWriter::new(File::create(path).unwrap()); error_log_writer
.write(
ret.write(
format!( format!(
"user input: {:?}\n", "user input: {:?}\n",
format_args!( format_args!(
@@ -220,7 +220,14 @@ impl AlertMessage {
.as_bytes(), .as_bytes(),
) )
.unwrap(); .unwrap();
ret.flush().ok(); for error_log in ERROR_LOG_STACK.lock().unwrap().iter() {
writeln!(error_log_writer, "{}", error_log).ok();
}
println!(
"Errors were generated. Please check {} for details.",
ERROR_LOG_PATH.to_string()
);
println!("");
} }
/// ERRORメッセージを表示する関数 /// ERRORメッセージを表示する関数
@@ -232,18 +239,6 @@ impl AlertMessage {
pub fn warn<W: Write>(w: &mut W, contents: &String) -> io::Result<()> { pub fn warn<W: Write>(w: &mut W, contents: &String) -> io::Result<()> {
writeln!(w, "[WARN] {}", contents) writeln!(w, "[WARN] {}", contents)
} }
/// エラーログへのERRORメッセージの出力数を確認して、0であったらファイルを削除する。1以上あればエラーを書き出した旨を標準出力に表示する
pub fn output_error_log_exist() {
if *QUIET_ERRORS_FLAG {
return;
}
println!(
"Errors were generated. Please check {} for details.",
ERROR_LOG_PATH.to_string()
);
println!("");
}
} }
#[cfg(test)] #[cfg(test)]

45
src/detections/rule/count.rs
View File

@@ -1,6 +1,6 @@
use crate::detections::configs; use crate::detections::configs;
use crate::detections::print::AlertMessage; use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_PATH; use crate::detections::print::ERROR_LOG_STACK;
use crate::detections::print::QUIET_ERRORS_FLAG; use crate::detections::print::QUIET_ERRORS_FLAG;
use crate::detections::rule::AggResult; use crate::detections::rule::AggResult;
use crate::detections::rule::AggregationParseInfo; use crate::detections::rule::AggregationParseInfo;
@@ -9,7 +9,6 @@ use crate::detections::rule::RuleNode;
use chrono::{DateTime, TimeZone, Utc}; use chrono::{DateTime, TimeZone, Utc};
use hashbrown::HashMap; use hashbrown::HashMap;
use serde_json::Value; use serde_json::Value;
use std::fs::OpenOptions;
use std::io::BufWriter; use std::io::BufWriter;
use std::num::ParseIntError; use std::num::ParseIntError;
use std::path::Path; use std::path::Path;
@@ -95,16 +94,10 @@ fn get_alias_value_in_record(
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok(); AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::alert( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[ERROR] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)
.ok();
} }
return None; return None;
} }
@@ -203,16 +196,10 @@ impl TimeFrameInfo {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok(); AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::alert( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[ERROR] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)
.ok();
} }
} }
return TimeFrameInfo { return TimeFrameInfo {
@@ -246,16 +233,10 @@ pub fn get_sec_timeframe(timeframe: &Option<TimeFrameInfo>) -> Option<i64> {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok(); AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::alert( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[ERROR] {}", errmsg.to_string()));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)
.ok();
} }
return Option::None; return Option::None;
} }

44
src/main.rs
View File

@@ -7,6 +7,7 @@ use evtx::{EvtxParser, ParserSettings};
use hayabusa::detections::detection::{self, EvtxRecordInfo}; use hayabusa::detections::detection::{self, EvtxRecordInfo};
use hayabusa::detections::print::AlertMessage; use hayabusa::detections::print::AlertMessage;
use hayabusa::detections::print::ERROR_LOG_PATH; use hayabusa::detections::print::ERROR_LOG_PATH;
use hayabusa::detections::print::ERROR_LOG_STACK;
use hayabusa::detections::print::QUIET_ERRORS_FLAG; use hayabusa::detections::print::QUIET_ERRORS_FLAG;
use hayabusa::detections::rule::{get_detection_keys, RuleNode}; use hayabusa::detections::rule::{get_detection_keys, RuleNode};
use hayabusa::filter; use hayabusa::filter;
@@ -18,7 +19,6 @@ use pbr::ProgressBar;
use serde_json::Value; use serde_json::Value;
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::fmt::Display; use std::fmt::Display;
use std::fs::OpenOptions;
use std::io::BufWriter; use std::io::BufWriter;
use std::path::Path; use std::path::Path;
use std::sync::Arc; use std::sync::Arc;
@@ -84,14 +84,6 @@ impl App {
return; return;
} }
} }
if !configs::CONFIG
.read()
.unwrap()
.args
.is_present("quiet-errors")
{
AlertMessage::create_error_log(ERROR_LOG_PATH.to_string());
}
if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") { if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") {
if !filepath.ends_with(".evtx") { if !filepath.ends_with(".evtx") {
AlertMessage::alert( AlertMessage::alert(
@@ -126,7 +118,11 @@ impl App {
let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time); let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time);
println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx()); println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx());
println!(""); println!("");
AlertMessage::output_error_log_exist();
// Qオプションを付けた場合もしくはパースのエラーがない場合はerrorのstackが9となるのでエラーログファイル自体が生成されない。
if ERROR_LOG_STACK.lock().unwrap().len() > 0 {
AlertMessage::create_error_log(ERROR_LOG_PATH.to_string());
}
} }
fn collect_evtxfiles(&self, dirpath: &str) -> Vec<PathBuf> { fn collect_evtxfiles(&self, dirpath: &str) -> Vec<PathBuf> {
@@ -137,16 +133,10 @@ impl App {
AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok(); AlertMessage::alert(&mut BufWriter::new(std::io::stderr().lock()), &errmsg).ok();
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::alert( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[ERROR] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)
.ok();
} }
return vec![]; return vec![];
} }
@@ -255,16 +245,10 @@ impl App {
.ok(); .ok();
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::alert( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[ERROR] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)
.ok();
} }
continue; continue;
} }

29
src/yaml.rs
View File

@@ -3,13 +3,12 @@ extern crate yaml_rust;
use crate::detections::configs; use crate::detections::configs;
use crate::detections::print::AlertMessage; use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_PATH; use crate::detections::print::ERROR_LOG_STACK;
use crate::detections::print::QUIET_ERRORS_FLAG; use crate::detections::print::QUIET_ERRORS_FLAG;
use crate::filter::RuleExclude; use crate::filter::RuleExclude;
use std::collections::HashMap; use std::collections::HashMap;
use std::ffi::OsStr; use std::ffi::OsStr;
use std::fs; use std::fs;
use std::fs::OpenOptions;
use std::io; use std::io;
use std::io::BufWriter; use std::io::BufWriter;
use std::io::{BufReader, Read}; use std::io::{BufReader, Read};
@@ -84,15 +83,10 @@ impl ParseYaml {
AlertMessage::warn(&mut BufWriter::new(std::io::stderr().lock()), &errmsg)?; AlertMessage::warn(&mut BufWriter::new(std::io::stderr().lock()), &errmsg)?;
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::warn( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[WARN] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)?;
} }
self.errorrule_count += 1; self.errorrule_count += 1;
return io::Result::Ok(ret); return io::Result::Ok(ret);
@@ -110,15 +104,10 @@ impl ParseYaml {
AlertMessage::warn(&mut BufWriter::new(std::io::stderr().lock()), &errmsg)?; AlertMessage::warn(&mut BufWriter::new(std::io::stderr().lock()), &errmsg)?;
} }
if !*QUIET_ERRORS_FLAG { if !*QUIET_ERRORS_FLAG {
AlertMessage::warn( ERROR_LOG_STACK
&mut BufWriter::new( .lock()
OpenOptions::new() .unwrap()
.append(true) .push(format!("[WARN] {}", errmsg));
.open(ERROR_LOG_PATH.to_string())
.unwrap(),
),
&errmsg,
)?;
} }
self.errorrule_count += 1; self.errorrule_count += 1;
return io::Result::Ok(ret); return io::Result::Ok(ret);