diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 5b8fbc00..3e472a16 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -2,13 +2,11 @@ ## v1.4.2 [2022/07/XX] -**新機能:** - -- XXX - **改善:** - `--update-rules` オプションを利用する時に、更新対象のレポジトリを`--rules`オプションで指定できるようにした。 (#615) (@hitenkoku) +- 並列処理の改善による高速化。 (#479) (@kazuminn) +- `--output`オプションを利用したときのRulePathをRuleFileに変更した。RuleFileは出力するファイルの容量を低減させるためにファイル名のみを出力するようにした。 (#623) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dbdf956..8853df37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,17 +2,15 @@ ## v1.4.2 [2022/07/XX] -**New Features:** - -- XXX - **Enhancements:** -- Combining the two options, you can now update rules with `--update-rules` option to a custom rules directory with the `--rules` option. (#615) (@hitenkoku) +- You can now update rules to a custom directory by combining the `--update-rules` and `--rules` options. (#615) (@hitenkoku) +- Improved speed with parallel processing by up to 20% with large files. (#479) (@kazuminn) +- The `.yml` rule path (changed from RulePath to RuleFile) saved with `-o` now outputs to decrease memory usage and file size. (#623) (@hitenkoku) **Bug Fixes:** -- Fixed error due to the files in the config folder cannot be read. (#618) (@hitenkoku) +- Fixed a runtime error when hayabusa is run from a different path than the current directory. (#618) (@hitenkoku) ## v1.4.1 [2022/06/30] diff --git a/Cargo.lock b/Cargo.lock index 4ac78c67..22da4f7d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -133,9 +133,9 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" [[package]] name = "bytes" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8" +checksum = "f0b3de4a0c5e67e16066a0715723abd91edc2f9001d09c46e1dca929351e130e" [[package]] name = "bytesize" @@ -529,7 +529,7 @@ dependencies = [ [[package]] name = "evtx" version = "0.7.3" -source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#7a734d0eb884bba4ce81f1bddbfdb4644c9e74e3" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#8c3a7927d88972424574d1473ada5b76c8e98269" dependencies = [ "anyhow", "bitflags", @@ -697,9 +697,9 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" [[package]] name = "hashbrown" -version = "0.12.2" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "607c8a29735385251a339424dd462993c0fed8fa09d378f259377df08c126022" +checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" dependencies = [ "ahash", ] @@ -1219,9 +1219,9 @@ dependencies = [ [[package]] name = "os_str_bytes" -version = "6.1.0" +version = "6.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21326818e99cfe6ce1e524c2a805c189a99b5ae555a35d19f9a284b427d86afa" +checksum = "648001efe5d5c0102d8cea768e348da85d90af8ba91f0bea908f157951493cd4" [[package]] name = "parking_lot" @@ -1977,9 +1977,9 @@ checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" [[package]] name = "unicode-ident" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" +checksum = "15c61ba63f9235225a22310255a29b806b907c9b8c964bcbd0a2c70f3f2deea7" [[package]] name = "unicode-normalization" diff --git a/README-Japanese.md b/README-Japanese.md index 2e8470fc..b0ea5a95 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -512,8 +512,8 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) CSVファイルとして保存する場合、以下の列が追加されます: * `MitreAttack`: MITRE ATT&CKの戦術。 -* `Rule Path`: アラートまたはイベントを生成した検知ルールへのパス。 -* `File Path`: アラートまたはイベントを起こしたevtxファイルへのパス。 +* `RuleFile`: アラートまたはイベントを生成した検知ルールのファイル名。 +* `EvtxFile`: アラートまたはイベントを起こしたevtxファイルへのパス。 `-F`もしくは`--full-data`オプションを指定した場合、全てのフィールド情報が`RecordInformation`カラムにで出力されます。 diff --git a/README.md b/README.md index 1e26a122..44b9753c 100644 --- a/README.md +++ b/README.md @@ -509,8 +509,8 @@ When hayabusa output is being displayed to the screen (the default), it will dis The following additional columns will be added to the output when saving to a CSV file: * `MitreAttack`: MITRE ATT&CK tactics. -* `Rule Path`: The path to the detection rule that generated the alert or event. -* `File Path`: The path to the evtx file that caused the alert or event. +* `RuleFile`: The filename of the detection rule that generated the alert or event. +* `EvtxFile`: The path to the evtx file that caused the alert or event. If you add the `-F` or `--full-data` option, a `RecordInformation` column with all field information will also be added. diff --git a/src/afterfact.rs b/src/afterfact.rs index 425b5137..9c36de16 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -21,6 +21,7 @@ use std::fs::File; use std::io; use std::io::BufWriter; use std::io::Write; +use std::path::Path; use std::process; use termcolor::{BufferWriter, Color, ColorChoice, ColorSpec, WriteColor}; use terminal_size::Width; @@ -40,8 +41,8 @@ pub struct CsvFormat<'a> { details: &'a str, #[serde(skip_serializing_if = "Option::is_none")] record_information: Option<&'a str>, - rule_path: &'a str, - file_path: &'a str, + rule_file: &'a str, + evtx_file: &'a str, } #[derive(Debug, Serialize)] @@ -317,8 +318,12 @@ fn emit_csv( rule_title: &detect_info.alert, details: &detect_info.detail, record_information: detect_info.record_information.as_deref(), - file_path: &detect_info.filepath, - rule_path: &detect_info.rulepath, + evtx_file: &detect_info.filepath, + rule_file: Path::new(&detect_info.rulepath) + .file_name() + .unwrap() + .to_str() + .unwrap(), record_i_d: detect_info.record_id.as_deref(), })?; } @@ -782,7 +787,7 @@ mod tests { .unwrap(); let expect_tz = expect_time.with_timezone(&Local); let expect = - "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RulePath,FilePath\n" + "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RuleFile,EvtxFile\n" .to_string() + &expect_tz .clone() diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 4d0437eb..91fd7f02 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -23,6 +23,7 @@ use hashbrown::HashMap; use serde_json::Value; use std::fmt::Write; use std::path::Path; + use std::sync::Arc; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; @@ -253,10 +254,9 @@ impl Detection { } else { None }; - let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), - rulepath: rule.rulepath.to_string(), + rulepath: (&rule.rulepath).to_owned(), level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() @@ -299,9 +299,10 @@ impl Detection { } else { None }; + let detect_info = DetectInfo { filepath: "-".to_owned(), - rulepath: rule.rulepath.to_owned(), + rulepath: (&rule.rulepath).to_owned(), level: rule.yaml["level"].as_str().unwrap_or("").to_owned(), computername: "-".to_owned(), eventid: "-".to_owned(),