diff --git a/src/detections/configs.rs b/src/detections/configs.rs index ef64bd99..4e79eb35 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1,4 +1,6 @@ +use crate::detections::print::AlertMessage; use crate::detections::utils; +use chrono::{DateTime, Utc}; use clap::{App, AppSettings, ArgMatches}; use lazy_static::lazy_static; use std::collections::{HashMap, HashSet}; @@ -118,6 +120,68 @@ fn load_target_ids(path: &str) -> TargetEventIds { return ret; } +#[derive(Debug, Clone)] +pub struct TargetEventTime { + start_time: Option>, + end_time: Option>, +} + +impl TargetEventTime { + pub fn new() -> TargetEventTime { + let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") { + match s_time.parse::>() { + Ok(dt) => Some(dt), + Err(err) => { + AlertMessage::alert( + &mut std::io::stderr().lock(), + format!("start-time field: {}", err), + ) + .ok(); + None + } + } + } else { + None + }; + let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") { + match e_time.parse::>() { + Ok(dt) => Some(dt), + Err(err) => { + AlertMessage::alert( + &mut std::io::stderr().lock(), + format!("start-time field: {}", err), + ) + .ok(); + None + } + } + } else { + None + }; + return TargetEventTime { + start_time: start_time, + end_time: end_time, + }; + } + + pub fn is_target(&self, eventtime: &Option>) -> bool { + if eventtime.is_none() { + return true; + } + if let Some(starttime) = self.start_time { + if eventtime.unwrap() < starttime { + return false; + } + } + if let Some(endtime) = self.end_time { + if eventtime.unwrap() > endtime { + return false; + } + } + return true; + } +} + #[derive(Debug, Clone)] pub struct EventKeyAliasConfig { key_to_eventkey: HashMap, diff --git a/src/detections/print.rs b/src/detections/print.rs index 22a15d8d..26e05046 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -1,5 +1,6 @@ extern crate lazy_static; use crate::detections::configs; +use crate::detections::utils; use crate::detections::utils::get_serde_number_to_string; use chrono::{DateTime, TimeZone, Utc}; use lazy_static::lazy_static; @@ -9,7 +10,6 @@ use std::collections::BTreeMap; use std::collections::HashMap; use std::io::{self, Write}; use std::sync::Mutex; -use crate::detections::utils; #[derive(Debug)] pub struct Message { diff --git a/src/detections/utils.rs b/src/detections/utils.rs index bde46871..5d0d52ff 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -7,6 +7,7 @@ use crate::detections::configs; use tokio::runtime::Builder; use tokio::runtime::Runtime; +use chrono::{DateTime, TimeZone, Utc}; use regex::Regex; use serde_json::Value; use std::fs::File; @@ -14,7 +15,6 @@ use std::io::prelude::*; use std::io::{BufRead, BufReader}; use std::str; use std::string::String; -use chrono::{DateTime, TimeZone, Utc}; pub fn concat_selection_key(key_list: &Vec) -> String { return key_list diff --git a/src/main.rs b/src/main.rs index f2cf0458..73efcd6b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -121,43 +121,42 @@ fn analysis_files(evtx_files: Vec) { .unwrap_or("informational") .to_uppercase(); - // TODO: config.rs に移す - // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z - let start_time = if let Some(s_time) = configs::CONFIG - .read() - .unwrap() - .args - .value_of("start-time") - { - match s_time.parse::>() { - Ok(dt)=> Some(dt), - Err(err) => { - AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok(); - None - } - } - } else { - None - }; + // // TODO: config.rs に移す + // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z + // let start_time = + // if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") { + // match s_time.parse::>() { + // Ok(dt) => Some(dt), + // Err(err) => { + // AlertMessage::alert( + // &mut std::io::stderr().lock(), + // format!("start-time field: {}", err), + // ) + // .ok(); + // None + // } + // } + // } else { + // None + // }; - let end_time= if let Some(e_time) = configs::CONFIG - .read() - .unwrap() - .args - .value_of("end-time") - { - match e_time.parse::>() { - Ok(dt)=> Some(dt), - Err(err) => { - AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok(); - None - } - } - } else { - None - }; + // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") { + // match e_time.parse::>() { + // Ok(dt) => Some(dt), + // Err(err) => { + // AlertMessage::alert( + // &mut std::io::stderr().lock(), + // format!("start-time field: {}", err), + // ) + // .ok(); + // None + // } + // } + // } else { + // None + // }; - println!("TIME: {:?}", start_time); + // println!("TIME: {:?}", start_time); println!("Analyzing Event Files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( level, @@ -192,6 +191,8 @@ fn analysis_file( let mut records = parser.records_json_value(); let tokio_rt = utils::create_tokio_runtime(); + let target_event_time = configs::TargetEventTime::new(); + loop { let mut records_per_detect = vec![]; while records_per_detect.len() < MAX_DETECT_RECORDS { @@ -228,6 +229,14 @@ fn analysis_file( } } + let eventtime = utils::get_event_value(&utils::get_event_time(), &data); + if eventtime.is_some() { + let time = utils::str_time_to_datetime(eventtime.unwrap().as_str().unwrap_or("")); + if !target_event_time.is_target(&time) { + continue; + } + } + // EvtxRecordInfo構造体に変更 let data_string = data.to_string(); let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string);