Add: time filter

2021-12-07 00:50:00 +09:00
parent e09cfb7231
commit 4bb445d4f5
4 changed files with 110 additions and 37 deletions
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -1,4 +1,6 @@
+use crate::detections::print::AlertMessage;
 use crate::detections::utils;
+use chrono::{DateTime, Utc};
 use clap::{App, AppSettings, ArgMatches};
 use lazy_static::lazy_static;
 use std::collections::{HashMap, HashSet};
@@ -118,6 +120,68 @@ fn load_target_ids(path: &str) -> TargetEventIds {
    return ret;
 }

+#[derive(Debug, Clone)]
+pub struct TargetEventTime {
+    start_time: Option<DateTime<Utc>>,
+    end_time: Option<DateTime<Utc>>,
+}
+
+impl TargetEventTime {
+    pub fn new() -> TargetEventTime {
+        let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") {
+            match s_time.parse::<DateTime<Utc>>() {
+                Ok(dt) => Some(dt),
+                Err(err) => {
+                    AlertMessage::alert(
+                        &mut std::io::stderr().lock(),
+                        format!("start-time field: {}", err),
+                    )
+                    .ok();
+                    None
+                }
+            }
+        } else {
+            None
+        };
+        let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") {
+            match e_time.parse::<DateTime<Utc>>() {
+                Ok(dt) => Some(dt),
+                Err(err) => {
+                    AlertMessage::alert(
+                        &mut std::io::stderr().lock(),
+                        format!("start-time field: {}", err),
+                    )
+                    .ok();
+                    None
+                }
+            }
+        } else {
+            None
+        };
+        return TargetEventTime {
+            start_time: start_time,
+            end_time: end_time,
+        };
+    }
+
+    pub fn is_target(&self, eventtime: &Option<DateTime<Utc>>) -> bool {
+        if eventtime.is_none() {
+            return true;
+        }
+        if let Some(starttime) = self.start_time {
+            if eventtime.unwrap() < starttime {
+                return false;
+            }
+        }
+        if let Some(endtime) = self.end_time {
+            if eventtime.unwrap() > endtime {
+                return false;
+            }
+        }
+        return true;
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct EventKeyAliasConfig {
    key_to_eventkey: HashMap<String, String>,
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -1,5 +1,6 @@
 extern crate lazy_static;
 use crate::detections::configs;
+use crate::detections::utils;
 use crate::detections::utils::get_serde_number_to_string;
 use chrono::{DateTime, TimeZone, Utc};
 use lazy_static::lazy_static;
@@ -9,7 +10,6 @@ use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::io::{self, Write};
 use std::sync::Mutex;
-use crate::detections::utils;

 #[derive(Debug)]
 pub struct Message {
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -7,6 +7,7 @@ use crate::detections::configs;
 use tokio::runtime::Builder;
 use tokio::runtime::Runtime;

+use chrono::{DateTime, TimeZone, Utc};
 use regex::Regex;
 use serde_json::Value;
 use std::fs::File;
@@ -14,7 +15,6 @@ use std::io::prelude::*;
 use std::io::{BufRead, BufReader};
 use std::str;
 use std::string::String;
-use chrono::{DateTime, TimeZone, Utc};

 pub fn concat_selection_key(key_list: &Vec<String>) -> String {
    return key_list
--- a/src/main.rs
+++ b/src/main.rs
@@ -121,43 +121,42 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
        .unwrap_or("informational")
        .to_uppercase();

-    // TODO: config.rs に移す
-    // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
-    let start_time = if let Some(s_time) = configs::CONFIG
-        .read()
-        .unwrap()
-        .args
-        .value_of("start-time")
-    {
-        match s_time.parse::<DateTime<Utc>>() {
-            Ok(dt)=> Some(dt),
-            Err(err) => {
-                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
-                None
-            }
-        }
-    } else {
-        None
-    };
+    // // TODO: config.rs に移す
+    // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z
+    // let start_time =
+    //     if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") {
+    //         match s_time.parse::<DateTime<Utc>>() {
+    //             Ok(dt) => Some(dt),
+    //             Err(err) => {
+    //                 AlertMessage::alert(
+    //                     &mut std::io::stderr().lock(),
+    //                     format!("start-time field: {}", err),
+    //                 )
+    //                 .ok();
+    //                 None
+    //             }
+    //         }
+    //     } else {
+    //         None
+    //     };

-    let end_time= if let Some(e_time) = configs::CONFIG
-        .read()
-        .unwrap()
-        .args
-        .value_of("end-time")
-    {
-        match e_time.parse::<DateTime<Utc>>() {
-            Ok(dt)=> Some(dt),
-            Err(err) => {
-                AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok();
-                None
-            }
-        }
-    } else {
-        None
-    };
+    // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") {
+    //     match e_time.parse::<DateTime<Utc>>() {
+    //         Ok(dt) => Some(dt),
+    //         Err(err) => {
+    //             AlertMessage::alert(
+    //                 &mut std::io::stderr().lock(),
+    //                 format!("start-time field: {}", err),
+    //             )
+    //             .ok();
+    //             None
+    //         }
+    //     }
+    // } else {
+    //     None
+    // };

-    println!("TIME: {:?}", start_time);
+    // println!("TIME: {:?}", start_time);
    println!("Analyzing Event Files: {:?}", evtx_files.len());
    let rule_files = detection::Detection::parse_rule_files(
        level,
@@ -192,6 +191,8 @@ fn analysis_file(
    let mut records = parser.records_json_value();
    let tokio_rt = utils::create_tokio_runtime();

+    let target_event_time = configs::TargetEventTime::new();
+
    loop {
        let mut records_per_detect = vec![];
        while records_per_detect.len() < MAX_DETECT_RECORDS {
@@ -228,6 +229,14 @@ fn analysis_file(
                }
            }

+            let eventtime = utils::get_event_value(&utils::get_event_time(), &data);
+            if eventtime.is_some() {
+                let time = utils::str_time_to_datetime(eventtime.unwrap().as_str().unwrap_or(""));
+                if !target_event_time.is_target(&time) {
+                    continue;
+                }
+            }
+
            // EvtxRecordInfo構造体に変更
            let data_string = data.to_string();
            let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string);