Add: time filter

src/detections/configs.rs

@@ -1,4 +1,6 @@
+use crate::detections::print::AlertMessage;
 use crate::detections::utils;
+use chrono::{DateTime, Utc};
 use clap::{App, AppSettings, ArgMatches};
 use lazy_static::lazy_static;
 use std::collections::{HashMap, HashSet};
@@ -118,6 +120,68 @@ fn load_target_ids(path: &str) -> TargetEventIds {
     return ret;
 }
 
+#[derive(Debug, Clone)]
+pub struct TargetEventTime {
+    start_time: Option<DateTime<Utc>>,
+    end_time: Option<DateTime<Utc>>,
+}
+
+impl TargetEventTime {
+    pub fn new() -> TargetEventTime {
+        let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") {
+            match s_time.parse::<DateTime<Utc>>() {
+                Ok(dt) => Some(dt),
+                Err(err) => {
+                    AlertMessage::alert(
+                        &mut std::io::stderr().lock(),
+                        format!("start-time field: {}", err),
+                    )
+                    .ok();
+                    None
+                }
+            }
+        } else {
+            None
+        };
+        let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") {
+            match e_time.parse::<DateTime<Utc>>() {
+                Ok(dt) => Some(dt),
+                Err(err) => {
+                    AlertMessage::alert(
+                        &mut std::io::stderr().lock(),
+                        format!("start-time field: {}", err),
+                    )
+                    .ok();
+                    None
+                }
+            }
+        } else {
+            None
+        };
+        return TargetEventTime {
+            start_time: start_time,
+            end_time: end_time,
+        };
+    }
+
+    pub fn is_target(&self, eventtime: &Option<DateTime<Utc>>) -> bool {
+        if eventtime.is_none() {
+            return true;
+        }
+        if let Some(starttime) = self.start_time {
+            if eventtime.unwrap() < starttime {
+                return false;
+            }
+        }
+        if let Some(endtime) = self.end_time {
+            if eventtime.unwrap() > endtime {
+                return false;
+            }
+        }
+        return true;
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct EventKeyAliasConfig {
     key_to_eventkey: HashMap<String, String>,

src/detections/print.rs

@@ -1,5 +1,6 @@
 extern crate lazy_static;
 use crate::detections::configs;
+use crate::detections::utils;
 use crate::detections::utils::get_serde_number_to_string;
 use chrono::{DateTime, TimeZone, Utc};
 use lazy_static::lazy_static;
@@ -9,7 +10,6 @@ use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::io::{self, Write};
 use std::sync::Mutex;
-use crate::detections::utils;
 
 #[derive(Debug)]
 pub struct Message {

src/detections/utils.rs

@@ -7,6 +7,7 @@ use crate::detections::configs;
 use tokio::runtime::Builder;
 use tokio::runtime::Runtime;
 
+use chrono::{DateTime, TimeZone, Utc};
 use regex::Regex;
 use serde_json::Value;
 use std::fs::File;
@@ -14,7 +15,6 @@ use std::io::prelude::*;
 use std::io::{BufRead, BufReader};
 use std::str;
 use std::string::String;
-use chrono::{DateTime, TimeZone, Utc};
 
 pub fn concat_selection_key(key_list: &Vec<String>) -> String {
     return key_list

src/main.rs

@@ -121,43 +121,42 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
         .unwrap_or("informational")
         .to_uppercase();
 
-    // TODO: config.rs に移す
+    // // TODO: config.rs に移す
-    // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
+    // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
-    let start_time = if let Some(s_time) = configs::CONFIG
+    // let start_time =
-        .read()
+    //     if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") {
-        .unwrap()
+    //         match s_time.parse::<DateTime<Utc>>() {
-        .args
+    //             Ok(dt) => Some(dt),
-        .value_of("start-time")
+    //             Err(err) => {
-    {
+    //                 AlertMessage::alert(
-        match s_time.parse::<DateTime<Utc>>() {
+    //                     &mut std::io::stderr().lock(),
-            Ok(dt)=> Some(dt),
+    //                     format!("start-time field: {}", err),
-            Err(err) => {
+    //                 )
-                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
+    //                 .ok();
-                None
+    //                 None
-            }
+    //             }
-        }
+    //         }
-    } else {
+    //     } else {
-        None
+    //         None
-    };
+    //     };
 
-    let end_time= if let Some(e_time) = configs::CONFIG
+    // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") {
-        .read()
+    //     match e_time.parse::<DateTime<Utc>>() {
-        .unwrap()
+    //         Ok(dt) => Some(dt),
-        .args
+    //         Err(err) => {
-        .value_of("end-time")
+    //             AlertMessage::alert(
-    {
+    //                 &mut std::io::stderr().lock(),
-        match e_time.parse::<DateTime<Utc>>() {
+    //                 format!("start-time field: {}", err),
-            Ok(dt)=> Some(dt),
+    //             )
-            Err(err) => {
+    //             .ok();
-                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
+    //             None
-                None
+    //         }
-            }
+    //     }
-        }
+    // } else {
-    } else {
+    //     None
-        None
+    // };
-    };
 
-    println!("TIME: {:?}", start_time);
+    // println!("TIME: {:?}", start_time);
     println!("Analyzing Event Files: {:?}", evtx_files.len());
     let rule_files = detection::Detection::parse_rule_files(
         level,
@@ -192,6 +191,8 @@ fn analysis_file(
     let mut records = parser.records_json_value();
     let tokio_rt = utils::create_tokio_runtime();
 
+    let target_event_time = configs::TargetEventTime::new();
+
     loop {
         let mut records_per_detect = vec![];
         while records_per_detect.len() < MAX_DETECT_RECORDS {
@@ -228,6 +229,14 @@ fn analysis_file(
                 }
             }
 
+            let eventtime = utils::get_event_value(&utils::get_event_time(), &data);
+            if eventtime.is_some() {
+                let time = utils::str_time_to_datetime(eventtime.unwrap().as_str().unwrap_or(""));
+                if !target_event_time.is_target(&time) {
+                    continue;
+                }
+            }
+
             // EvtxRecordInfo構造体に変更
             let data_string = data.to_string();
             let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string);