diff --git a/src/detections/configs.rs b/src/detections/configs.rs index df2fd6f4..b7bdb812 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -60,6 +60,7 @@ fn build_app<'a>() -> ArgMatches<'a> { -v --verbose 'Output verbose information' -D --enable-deprecated-rules 'Enable sigma rules marked as deprecated' -n --enable-noisy-rules 'Enable rules marked as noisy' + -U --rule-update 'Clone latest hayabusa-rule' -m --min-level=[LEVEL] 'Minimum level for rules (default: informational)' --start-timeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' --end-timeline=[ENDTIMELINE] 'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' diff --git a/src/main.rs b/src/main.rs index dccca891..5b228bb3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -4,6 +4,7 @@ extern crate serde_derive; use chrono::Datelike; use chrono::{DateTime, Local}; use evtx::{EvtxParser, ParserSettings}; +use git2::Repository; use hayabusa::detections::detection::{self, EvtxRecordInfo}; use hayabusa::detections::print::AlertMessage; use hayabusa::detections::print::ERROR_LOG_PATH; @@ -57,6 +58,15 @@ impl App { fn exec(&mut self) { let analysis_start_time: DateTime = Local::now(); + if !configs::CONFIG + .read() + .unwrap() + .args + .is_present("update-rules") + { + self.update_rules(); + return; + } if !configs::CONFIG.read().unwrap().args.is_present("quiet") { self.output_logo(); println!(""); @@ -420,6 +430,28 @@ impl App { } } } + + /// hayabusa-rulesをcloneで取得する関数 + fn update_rules(&self) { + let url = "https://github.com/Yamato-Security/hayabusa-rules.git"; + let _repo = match Repository::clone(url, "rules") { + Ok(repo) => { + println!("Finished clone hayabusa-rules repository."); + repo + } + Err(e) => { + AlertMessage::alert( + &mut BufWriter::new(std::io::stderr().lock()), + &format!( + "Failed git clone to rules folder. Please renme rules folder name. {}", + e + ), + ) + .ok(); + return; + } + }; + } } #[cfg(test)]