From 983ee9862920d05cba53d5ede5144b826aa2c7f7 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 17 Jul 2022 20:23:38 +0900 Subject: [PATCH 01/22] added pathdiff crate due to relative rule path output #623 --- Cargo.lock | 7 +++++++ Cargo.toml | 1 + 2 files changed, 8 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index 4ac78c67..04cab68c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -731,6 +731,7 @@ dependencies = [ "lock_api", "num_cpus", "openssl", + "pathdiff", "pbr", "prettytable-rs", "quick-xml", @@ -1246,6 +1247,12 @@ dependencies = [ "windows-sys", ] +[[package]] +name = "pathdiff" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" + [[package]] name = "pbr" version = "1.0.4" diff --git a/Cargo.toml b/Cargo.toml index 9be76e07..e64942a6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -37,6 +37,7 @@ bytesize = "1.*" hyper = "0.14.*" lock_api = "0.4.*" crossbeam-utils = "0.8.*" +pathdiff = "*" [target.'cfg(windows)'.dependencies] is_elevated = "0.1.*" From 67018ba8c8167a91f3cfb9cc554441140c4f9644 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 17 Jul 2022 20:25:18 +0900 Subject: [PATCH 02/22] changed optimized output when rule option value is relative path #623 --- src/detections/detection.rs | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 4d0437eb..93c553b1 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -21,8 +21,10 @@ use crate::yaml::ParseYaml; use hashbrown; use hashbrown::HashMap; use serde_json::Value; +use std::env; use std::fmt::Write; -use std::path::Path; +use std::path::{Path, PathBuf}; +use pathdiff::diff_paths; use std::sync::Arc; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; @@ -253,10 +255,17 @@ impl Detection { } else { None }; - + let tmp_fmt_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; + let abs_rule_path = Path::new(tmp_fmt_path); + let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() { + abs_rule_path.to_str().unwrap().to_string() + } else { + // ``個々の部分をregexとかで回してiterで落としたほうが速度向上につながると思われるため検討する + diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "") + }; let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), - rulepath: rule.rulepath.to_string(), + rulepath: fmted_rule_path_str, level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() @@ -299,9 +308,17 @@ impl Detection { } else { None }; + // canonicalizeを行った際に、windows環境で\\?\が必ず文字列として入ってしまう問題があったため先頭の4文字を除外している + let tmp_fmt_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; + let abs_rule_path = Path::new(tmp_fmt_path); + let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() { + abs_rule_path.to_str().unwrap().to_string() + } else { + diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "") + }; let detect_info = DetectInfo { filepath: "-".to_owned(), - rulepath: rule.rulepath.to_owned(), + rulepath: fmted_rule_path_str, level: rule.yaml["level"].as_str().unwrap_or("").to_owned(), computername: "-".to_owned(), eventid: "-".to_owned(), From 1fba668b23767ced80da2e1bc378b510d2d194fc Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 17 Jul 2022 21:40:27 +0900 Subject: [PATCH 03/22] removed comment --- src/detections/detection.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 93c553b1..acf841c2 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -260,7 +260,6 @@ impl Detection { let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() { abs_rule_path.to_str().unwrap().to_string() } else { - // ``個々の部分をregexとかで回してiterで落としたほうが速度向上につながると思われるため検討する diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "") }; let detect_info = DetectInfo { From 115f8a06325264adcf98e11d345850b5c3b86210 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 00:13:47 +0900 Subject: [PATCH 04/22] adjusted relative rule path omit to evtx file column #623 --- src/detections/detection.rs | 30 ++++++++++++------------------ src/detections/utils.rs | 24 +++++++++++++++++++++++- 2 files changed, 35 insertions(+), 19 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index acf841c2..0d5a548a 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,7 +1,7 @@ extern crate csv; use crate::detections::configs; -use crate::detections::utils::write_color_buffer; +use crate::detections::utils::{write_color_buffer, get_output_str_path}; use termcolor::{BufferWriter, Color, ColorChoice}; use crate::detections::message::AlertMessage; @@ -21,10 +21,9 @@ use crate::yaml::ParseYaml; use hashbrown; use hashbrown::HashMap; use serde_json::Value; -use std::env; use std::fmt::Write; use std::path::{Path, PathBuf}; -use pathdiff::diff_paths; + use std::sync::Arc; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; @@ -255,16 +254,16 @@ impl Detection { } else { None }; - let tmp_fmt_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; - let abs_rule_path = Path::new(tmp_fmt_path); - let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() { - abs_rule_path.to_str().unwrap().to_string() + let conf = configs::CONFIG.read().unwrap(); + let abs_rule_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; + let file_opt_path = if conf.args.filepath.is_some() { + conf.args.filepath.as_ref().unwrap() } else { - diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "") + conf.args.directory.as_ref().unwrap() }; let detect_info = DetectInfo { - filepath: record_info.evtx_filepath.to_string(), - rulepath: fmted_rule_path_str, + filepath: get_output_str_path(file_opt_path, Path::new(&record_info.evtx_filepath)), + rulepath: get_output_str_path(&configs::CONFIG.read().unwrap().args.rules, Path::new(abs_rule_path)), level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() @@ -308,16 +307,11 @@ impl Detection { None }; // canonicalizeを行った際に、windows環境で\\?\が必ず文字列として入ってしまう問題があったため先頭の4文字を除外している - let tmp_fmt_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; - let abs_rule_path = Path::new(tmp_fmt_path); - let fmted_rule_path_str = if configs::CONFIG.read().unwrap().args.rules.is_absolute() { - abs_rule_path.to_str().unwrap().to_string() - } else { - diff_paths(abs_rule_path, &env::current_dir().unwrap()).unwrap().to_str().unwrap().replace("..\\", "").replace(".\\", "") - }; + let abs_rule_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; + let detect_info = DetectInfo { filepath: "-".to_owned(), - rulepath: fmted_rule_path_str, + rulepath: get_output_str_path(&configs::CONFIG.read().unwrap().args.rules, Path::new(abs_rule_path)), level: rule.yaml["level"].as_str().unwrap_or("").to_owned(), computername: "-".to_owned(), eventid: "-".to_owned(), diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 1dec5959..875658ec 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -4,9 +4,12 @@ extern crate regex; use crate::detections::configs; use crate::detections::configs::CURRENT_EXE_PATH; +use std::env; use std::path::Path; use std::path::PathBuf; +use lazy_static::lazy_static; +use pathdiff::diff_paths; use termcolor::Color; use tokio::runtime::Builder; @@ -27,6 +30,10 @@ use termcolor::{BufferWriter, ColorSpec, WriteColor}; use super::detection::EvtxRecordInfo; +lazy_static! { + pub static ref OUTPUT_OMIT_REGEX:Regex = Regex::new(r"\.\./|\./|\.\.\\\\|\.\\|\.\.\\").unwrap(); +} + pub fn concat_selection_key(key_list: &[String]) -> String { return key_list .iter() @@ -386,11 +393,26 @@ pub fn check_setting_path(base_path: &Path, path: &str) -> PathBuf { } } +/// 与えられたoption_pathが相対パスであるかを確認し、絶対パスであればそのまま絶対パスのまま文字列として返却を行い、 +/// 相対パスであれば、カレントディレクトリとの相対パスの文字列から不要な(./、../)を除外した文字列を返却する関数 +pub fn get_output_str_path(option_path: &Path, target_path: &Path) -> String { + if option_path.is_absolute() { + target_path.to_str().unwrap().to_string() + } else { + let diff_path_result = diff_paths(target_path, &env::current_dir().unwrap()); + if let Some(diff_path) = diff_path_result { + OUTPUT_OMIT_REGEX.replace_all(diff_path.to_str().unwrap(), "").to_string() + } else { + OUTPUT_OMIT_REGEX.replace_all(target_path.to_str().unwrap(), "").to_string() + } + } +} + #[cfg(test)] mod tests { use std::path::Path; - use crate::detections::utils::{self, check_setting_path, make_ascii_titlecase}; + use crate::detections::utils::{self, check_setting_path, make_ascii_titlecase, get_output_str_path}; use regex::Regex; use serde_json::Value; From ad2beac49aa62c0e6907b04f5e1bac64d52f2080 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 00:14:46 +0900 Subject: [PATCH 05/22] add test #623 --- src/detections/utils.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 875658ec..a5b1179b 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -601,4 +601,14 @@ mod tests { "fake" ); } + + #[test] + /// 与えられた相対パスから不要な表記("./", "../")削除を確認するテスト + fn test_get_output_relative_path() { + let exist_path = Path::new("./test_files/rules/yaml/1.yml").to_path_buf(); + assert_eq!( + get_output_str_path(Path::new("."), &exist_path), + "test_files/rules/yaml/1.yml" + ); + } } From ea63251a4bc65dc76ee518fa59bfe3b68e81566c Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 00:15:10 +0900 Subject: [PATCH 06/22] cargo fmt --- src/detections/detection.rs | 26 ++++++++++++++++++++------ src/detections/utils.rs | 17 ++++++++++++----- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 0d5a548a..746d3dc2 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,7 +1,7 @@ extern crate csv; use crate::detections::configs; -use crate::detections::utils::{write_color_buffer, get_output_str_path}; +use crate::detections::utils::{get_output_str_path, write_color_buffer}; use termcolor::{BufferWriter, Color, ColorChoice}; use crate::detections::message::AlertMessage; @@ -255,7 +255,11 @@ impl Detection { None }; let conf = configs::CONFIG.read().unwrap(); - let abs_rule_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; + let abs_rule_path = &PathBuf::from(&rule.rulepath) + .canonicalize() + .unwrap() + .display() + .to_string()[4..]; let file_opt_path = if conf.args.filepath.is_some() { conf.args.filepath.as_ref().unwrap() } else { @@ -263,7 +267,10 @@ impl Detection { }; let detect_info = DetectInfo { filepath: get_output_str_path(file_opt_path, Path::new(&record_info.evtx_filepath)), - rulepath: get_output_str_path(&configs::CONFIG.read().unwrap().args.rules, Path::new(abs_rule_path)), + rulepath: get_output_str_path( + &configs::CONFIG.read().unwrap().args.rules, + Path::new(abs_rule_path), + ), level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() @@ -307,11 +314,18 @@ impl Detection { None }; // canonicalizeを行った際に、windows環境で\\?\が必ず文字列として入ってしまう問題があったため先頭の4文字を除外している - let abs_rule_path = &PathBuf::from(&rule.rulepath).canonicalize().unwrap().display().to_string()[4..]; - + let abs_rule_path = &PathBuf::from(&rule.rulepath) + .canonicalize() + .unwrap() + .display() + .to_string()[4..]; + let detect_info = DetectInfo { filepath: "-".to_owned(), - rulepath: get_output_str_path(&configs::CONFIG.read().unwrap().args.rules, Path::new(abs_rule_path)), + rulepath: get_output_str_path( + &configs::CONFIG.read().unwrap().args.rules, + Path::new(abs_rule_path), + ), level: rule.yaml["level"].as_str().unwrap_or("").to_owned(), computername: "-".to_owned(), eventid: "-".to_owned(), diff --git a/src/detections/utils.rs b/src/detections/utils.rs index a5b1179b..3553a565 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -31,7 +31,8 @@ use termcolor::{BufferWriter, ColorSpec, WriteColor}; use super::detection::EvtxRecordInfo; lazy_static! { - pub static ref OUTPUT_OMIT_REGEX:Regex = Regex::new(r"\.\./|\./|\.\.\\\\|\.\\|\.\.\\").unwrap(); + pub static ref OUTPUT_OMIT_REGEX: Regex = + Regex::new(r"\.\./|\./|\.\.\\\\|\.\\|\.\.\\").unwrap(); } pub fn concat_selection_key(key_list: &[String]) -> String { @@ -400,10 +401,14 @@ pub fn get_output_str_path(option_path: &Path, target_path: &Path) -> String { target_path.to_str().unwrap().to_string() } else { let diff_path_result = diff_paths(target_path, &env::current_dir().unwrap()); - if let Some(diff_path) = diff_path_result { - OUTPUT_OMIT_REGEX.replace_all(diff_path.to_str().unwrap(), "").to_string() + if let Some(diff_path) = diff_path_result { + OUTPUT_OMIT_REGEX + .replace_all(diff_path.to_str().unwrap(), "") + .to_string() } else { - OUTPUT_OMIT_REGEX.replace_all(target_path.to_str().unwrap(), "").to_string() + OUTPUT_OMIT_REGEX + .replace_all(target_path.to_str().unwrap(), "") + .to_string() } } } @@ -412,7 +417,9 @@ pub fn get_output_str_path(option_path: &Path, target_path: &Path) -> String { mod tests { use std::path::Path; - use crate::detections::utils::{self, check_setting_path, make_ascii_titlecase, get_output_str_path}; + use crate::detections::utils::{ + self, check_setting_path, get_output_str_path, make_ascii_titlecase, + }; use regex::Regex; use serde_json::Value; From fa42d67bcc3652dbfdf7bffad6bd0d46a875e0be Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 00:26:12 +0900 Subject: [PATCH 07/22] update changelog #623 --- CHANGELOG-Japanese.md | 2 ++ CHANGELOG.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 5b8fbc00..48c47155 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -9,10 +9,12 @@ **改善:** - `--update-rules` オプションを利用する時に、更新対象のレポジトリを`--rules`オプションで指定できるようにした。 (#615) (@hitenkoku) +- ファイルへの出力時にRulePathとFilePathにおける相対パスの`./`、 `../`の出力を省略した。 `--rules`、 `--file-path`、 `--directory`のオプションで相対パスを指定したときに出力を省略する。 (#623) (@hitenkoku) **バグ修正:** - cargo runコマンドでhayabusaを実行するとconfigフォルダの読み込みエラーが発生する問題を修正した。 (#618) (@hitenkoku) +- アウトプットの出力で一部不要な `./`の表記を削除した。 (#623) (@hitenkoku) ## v1.4.1 [2022/06/30] diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dbdf956..3eafedd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,10 +9,12 @@ **Enhancements:** - Combining the two options, you can now update rules with `--update-rules` option to a custom rules directory with the `--rules` option. (#615) (@hitenkoku) +- Ommited RulePath and FilePath relative path options in output file when `--rules` and `--file-path` and `--directory` option is relative path. (#623) (@hitenkoku) **Bug Fixes:** - Fixed error due to the files in the config folder cannot be read. (#618) (@hitenkoku) +- removed unnecessary `./` in output. (#623) (@hitenkoku) ## v1.4.1 [2022/06/30] From da8f5ff26ce4c814b8792138a346db1fe7d2c7e4 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 00:29:44 +0900 Subject: [PATCH 08/22] updated changelog due to additional ommission to other issue #479 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 48c47155..db03940d 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -9,6 +9,7 @@ **改善:** - `--update-rules` オプションを利用する時に、更新対象のレポジトリを`--rules`オプションで指定できるようにした。 (#615) (@hitenkoku) +- 並列処理の改善による高速化。 (#479) (@kazuminn) - ファイルへの出力時にRulePathとFilePathにおける相対パスの`./`、 `../`の出力を省略した。 `--rules`、 `--file-path`、 `--directory`のオプションで相対パスを指定したときに出力を省略する。 (#623) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 3eafedd7..94a0e539 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ **Enhancements:** - Combining the two options, you can now update rules with `--update-rules` option to a custom rules directory with the `--rules` option. (#615) (@hitenkoku) +- Improve parallel processing. (#479) (@kazuminn) - Ommited RulePath and FilePath relative path options in output file when `--rules` and `--file-path` and `--directory` option is relative path. (#623) (@hitenkoku) **Bug Fixes:** From 564500b52d1ee9c72717f691032e0d76570c6f89 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 13:14:38 +0900 Subject: [PATCH 09/22] removed unnecessary omit regex #623 --- src/detections/utils.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 3553a565..f9d7071a 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -31,8 +31,7 @@ use termcolor::{BufferWriter, ColorSpec, WriteColor}; use super::detection::EvtxRecordInfo; lazy_static! { - pub static ref OUTPUT_OMIT_REGEX: Regex = - Regex::new(r"\.\./|\./|\.\.\\\\|\.\\|\.\.\\").unwrap(); + pub static ref OUTPUT_OMIT_REGEX: Regex = Regex::new(r"\.\./|\./|\.\\|\.\.\\").unwrap(); } pub fn concat_selection_key(key_list: &[String]) -> String { From 00cd26eaeb228a43ccec068fb7388ccefa6ff1df Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 13:30:38 +0900 Subject: [PATCH 10/22] Due to path.is_absolute is not check included relative path in absolute path. --- src/detections/utils.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index f9d7071a..2f38de0a 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -396,7 +396,7 @@ pub fn check_setting_path(base_path: &Path, path: &str) -> PathBuf { /// 与えられたoption_pathが相対パスであるかを確認し、絶対パスであればそのまま絶対パスのまま文字列として返却を行い、 /// 相対パスであれば、カレントディレクトリとの相対パスの文字列から不要な(./、../)を除外した文字列を返却する関数 pub fn get_output_str_path(option_path: &Path, target_path: &Path) -> String { - if option_path.is_absolute() { + if option_path.is_absolute() && !OUTPUT_OMIT_REGEX.is_match(option_path.to_str().unwrap()) { target_path.to_str().unwrap().to_string() } else { let diff_path_result = diff_paths(target_path, &env::current_dir().unwrap()); From b97de6b588c6104b76990df5904756d3d0f91de7 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 21:55:04 +0900 Subject: [PATCH 11/22] revert file path display relative path #623 --- src/detections/detection.rs | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 746d3dc2..706869cd 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -254,19 +254,13 @@ impl Detection { } else { None }; - let conf = configs::CONFIG.read().unwrap(); let abs_rule_path = &PathBuf::from(&rule.rulepath) .canonicalize() .unwrap() .display() .to_string()[4..]; - let file_opt_path = if conf.args.filepath.is_some() { - conf.args.filepath.as_ref().unwrap() - } else { - conf.args.directory.as_ref().unwrap() - }; let detect_info = DetectInfo { - filepath: get_output_str_path(file_opt_path, Path::new(&record_info.evtx_filepath)), + filepath: record_info.evtx_filepath.to_string(), rulepath: get_output_str_path( &configs::CONFIG.read().unwrap().args.rules, Path::new(abs_rule_path), From 45f49682d50c88ab61c9a14a59d4922f8c841302 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 22:29:06 +0900 Subject: [PATCH 12/22] fixed display relative path processing #623 --- src/detections/detection.rs | 7 +------ src/detections/utils.rs | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 706869cd..43488751 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -254,16 +254,11 @@ impl Detection { } else { None }; - let abs_rule_path = &PathBuf::from(&rule.rulepath) - .canonicalize() - .unwrap() - .display() - .to_string()[4..]; let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), rulepath: get_output_str_path( &configs::CONFIG.read().unwrap().args.rules, - Path::new(abs_rule_path), + Path::new(&rule.rulepath), ), level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), computername: record_info.record["Event"]["System"]["Computer"] diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 2f38de0a..37570ab5 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -31,7 +31,8 @@ use termcolor::{BufferWriter, ColorSpec, WriteColor}; use super::detection::EvtxRecordInfo; lazy_static! { - pub static ref OUTPUT_OMIT_REGEX: Regex = Regex::new(r"\.\./|\./|\.\\|\.\.\\").unwrap(); + pub static ref OUTPUT_OMIT_REGEX: Regex = + Regex::new(r"\.\./|\./|\.\\|\.\.\\|\\\\\?\\").unwrap(); } pub fn concat_selection_key(key_list: &[String]) -> String { @@ -396,20 +397,19 @@ pub fn check_setting_path(base_path: &Path, path: &str) -> PathBuf { /// 与えられたoption_pathが相対パスであるかを確認し、絶対パスであればそのまま絶対パスのまま文字列として返却を行い、 /// 相対パスであれば、カレントディレクトリとの相対パスの文字列から不要な(./、../)を除外した文字列を返却する関数 pub fn get_output_str_path(option_path: &Path, target_path: &Path) -> String { - if option_path.is_absolute() && !OUTPUT_OMIT_REGEX.is_match(option_path.to_str().unwrap()) { - target_path.to_str().unwrap().to_string() + let ret_path = if option_path.is_absolute() + || !OUTPUT_OMIT_REGEX.is_match(target_path.to_str().unwrap()) + { + target_path.canonicalize().unwrap().display().to_string() } else { let diff_path_result = diff_paths(target_path, &env::current_dir().unwrap()); if let Some(diff_path) = diff_path_result { - OUTPUT_OMIT_REGEX - .replace_all(diff_path.to_str().unwrap(), "") - .to_string() + diff_path.display().to_string() } else { - OUTPUT_OMIT_REGEX - .replace_all(target_path.to_str().unwrap(), "") - .to_string() + target_path.display().to_string() } - } + }; + OUTPUT_OMIT_REGEX.replace_all(&ret_path, "").to_string() } #[cfg(test)] From 2f174104fcc0883697c67cd357321960cfea03c2 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 18 Jul 2022 22:36:28 +0900 Subject: [PATCH 13/22] Change: evtx file value do not display relative path convert. #623 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index db03940d..1208512c 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -10,7 +10,7 @@ - `--update-rules` オプションを利用する時に、更新対象のレポジトリを`--rules`オプションで指定できるようにした。 (#615) (@hitenkoku) - 並列処理の改善による高速化。 (#479) (@kazuminn) -- ファイルへの出力時にRulePathとFilePathにおける相対パスの`./`、 `../`の出力を省略した。 `--rules`、 `--file-path`、 `--directory`のオプションで相対パスを指定したときに出力を省略する。 (#623) (@hitenkoku) +- ファイルへの出力時にRulePathとFilePathにおける相対パスの`./`、 `../`の出力を省略した。 `--rules`の値が相対パスの時に出力を省略する。 (#623) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 94a0e539..01c88a14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ - Combining the two options, you can now update rules with `--update-rules` option to a custom rules directory with the `--rules` option. (#615) (@hitenkoku) - Improve parallel processing. (#479) (@kazuminn) -- Ommited RulePath and FilePath relative path options in output file when `--rules` and `--file-path` and `--directory` option is relative path. (#623) (@hitenkoku) +- Ommited RulePath and FilePath relative path options in output file when `--rules` option value is relative path. (#623) (@hitenkoku) **Bug Fixes:** From cc323376b91a85415b016977875678ac2c9c18cb Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 19 Jul 2022 10:43:07 +0900 Subject: [PATCH 14/22] update changelog and cargo --- CHANGELOG.md | 13 ++++--------- Cargo.lock | 14 +++++++------- 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 01c88a14..0406366f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,20 +2,15 @@ ## v1.4.2 [2022/07/XX] -**New Features:** - -- XXX - **Enhancements:** -- Combining the two options, you can now update rules with `--update-rules` option to a custom rules directory with the `--rules` option. (#615) (@hitenkoku) -- Improve parallel processing. (#479) (@kazuminn) -- Ommited RulePath and FilePath relative path options in output file when `--rules` option value is relative path. (#623) (@hitenkoku) +- You can now update rules to a custom directory by combining the `--update-rules` and `--rules` options. (#615) (@hitenkoku) +- Improved speed with parallel processing by up to 20% with large files. (#479) (@kazuminn) +- The `.yml` rule path (RulePath) saved with `-o` now outputs just the relative directory instead of the absolute directory to decrease memory usage and file size. (#623) (@hitenkoku) **Bug Fixes:** -- Fixed error due to the files in the config folder cannot be read. (#618) (@hitenkoku) -- removed unnecessary `./` in output. (#623) (@hitenkoku) +- Fixed a runtime error when hayabusa is run from a different path than the current directory. (#618) (@hitenkoku) ## v1.4.1 [2022/06/30] diff --git a/Cargo.lock b/Cargo.lock index 04cab68c..5993f48a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -529,7 +529,7 @@ dependencies = [ [[package]] name = "evtx" version = "0.7.3" -source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#7a734d0eb884bba4ce81f1bddbfdb4644c9e74e3" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#8c3a7927d88972424574d1473ada5b76c8e98269" dependencies = [ "anyhow", "bitflags", @@ -697,9 +697,9 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" [[package]] name = "hashbrown" -version = "0.12.2" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "607c8a29735385251a339424dd462993c0fed8fa09d378f259377df08c126022" +checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" dependencies = [ "ahash", ] @@ -1220,9 +1220,9 @@ dependencies = [ [[package]] name = "os_str_bytes" -version = "6.1.0" +version = "6.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21326818e99cfe6ce1e524c2a805c189a99b5ae555a35d19f9a284b427d86afa" +checksum = "648001efe5d5c0102d8cea768e348da85d90af8ba91f0bea908f157951493cd4" [[package]] name = "parking_lot" @@ -1984,9 +1984,9 @@ checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" [[package]] name = "unicode-ident" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" +checksum = "15c61ba63f9235225a22310255a29b806b907c9b8c964bcbd0a2c70f3f2deea7" [[package]] name = "unicode-normalization" From 286737d5bb0fbab967d0079b8d98a60c181b0c4a Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 19 Jul 2022 10:43:47 +0900 Subject: [PATCH 15/22] changelog update --- CHANGELOG-Japanese.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 1208512c..cd672006 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -15,7 +15,6 @@ **バグ修正:** - cargo runコマンドでhayabusaを実行するとconfigフォルダの読み込みエラーが発生する問題を修正した。 (#618) (@hitenkoku) -- アウトプットの出力で一部不要な `./`の表記を削除した。 (#623) (@hitenkoku) ## v1.4.1 [2022/06/30] From 591e7f18f174417b98c9b7faf66b517c59c67a85 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Tue, 19 Jul 2022 22:19:58 +0900 Subject: [PATCH 16/22] changed rule path to rule file name #623 --- src/afterfact.rs | 7 ++++--- src/detections/detection.rs | 16 ++-------------- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 425b5137..3d2d25bc 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -21,6 +21,7 @@ use std::fs::File; use std::io; use std::io::BufWriter; use std::io::Write; +use std::path::Path; use std::process; use termcolor::{BufferWriter, Color, ColorChoice, ColorSpec, WriteColor}; use terminal_size::Width; @@ -40,7 +41,7 @@ pub struct CsvFormat<'a> { details: &'a str, #[serde(skip_serializing_if = "Option::is_none")] record_information: Option<&'a str>, - rule_path: &'a str, + rule_file: &'a str, file_path: &'a str, } @@ -318,7 +319,7 @@ fn emit_csv( details: &detect_info.detail, record_information: detect_info.record_information.as_deref(), file_path: &detect_info.filepath, - rule_path: &detect_info.rulepath, + rule_file: Path::new(&detect_info.rulepath).file_name().unwrap().to_str().unwrap(), record_i_d: detect_info.record_id.as_deref(), })?; } @@ -782,7 +783,7 @@ mod tests { .unwrap(); let expect_tz = expect_time.with_timezone(&Local); let expect = - "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RulePath,FilePath\n" + "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RuleFile,FilePath\n" .to_string() + &expect_tz .clone() diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 43488751..76bf1275 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -256,10 +256,7 @@ impl Detection { }; let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), - rulepath: get_output_str_path( - &configs::CONFIG.read().unwrap().args.rules, - Path::new(&rule.rulepath), - ), + rulepath: (&rule.rulepath).to_owned(), level: rule.yaml["level"].as_str().unwrap_or("-").to_string(), computername: record_info.record["Event"]["System"]["Computer"] .to_string() @@ -302,19 +299,10 @@ impl Detection { } else { None }; - // canonicalizeを行った際に、windows環境で\\?\が必ず文字列として入ってしまう問題があったため先頭の4文字を除外している - let abs_rule_path = &PathBuf::from(&rule.rulepath) - .canonicalize() - .unwrap() - .display() - .to_string()[4..]; let detect_info = DetectInfo { filepath: "-".to_owned(), - rulepath: get_output_str_path( - &configs::CONFIG.read().unwrap().args.rules, - Path::new(abs_rule_path), - ), + rulepath: (&rule.rulepath).to_owned(), level: rule.yaml["level"].as_str().unwrap_or("").to_owned(), computername: "-".to_owned(), eventid: "-".to_owned(), From cbf96a47436ef0a381a9d897a884a734e51458ea Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Tue, 19 Jul 2022 22:20:38 +0900 Subject: [PATCH 17/22] removed unnecessary processing due to change rule path to rule file #623 --- src/detections/detection.rs | 4 ++-- src/detections/utils.rs | 38 +------------------------------------ 2 files changed, 3 insertions(+), 39 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 76bf1275..c5e6ff47 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,7 +1,7 @@ extern crate csv; use crate::detections::configs; -use crate::detections::utils::{get_output_str_path, write_color_buffer}; +use crate::detections::utils::write_color_buffer; use termcolor::{BufferWriter, Color, ColorChoice}; use crate::detections::message::AlertMessage; @@ -22,7 +22,7 @@ use hashbrown; use hashbrown::HashMap; use serde_json::Value; use std::fmt::Write; -use std::path::{Path, PathBuf}; +use std::path::{Path}; use std::sync::Arc; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 37570ab5..5a0282aa 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -4,12 +4,9 @@ extern crate regex; use crate::detections::configs; use crate::detections::configs::CURRENT_EXE_PATH; -use std::env; use std::path::Path; use std::path::PathBuf; -use lazy_static::lazy_static; -use pathdiff::diff_paths; use termcolor::Color; use tokio::runtime::Builder; @@ -30,11 +27,6 @@ use termcolor::{BufferWriter, ColorSpec, WriteColor}; use super::detection::EvtxRecordInfo; -lazy_static! { - pub static ref OUTPUT_OMIT_REGEX: Regex = - Regex::new(r"\.\./|\./|\.\\|\.\.\\|\\\\\?\\").unwrap(); -} - pub fn concat_selection_key(key_list: &[String]) -> String { return key_list .iter() @@ -394,30 +386,12 @@ pub fn check_setting_path(base_path: &Path, path: &str) -> PathBuf { } } -/// 与えられたoption_pathが相対パスであるかを確認し、絶対パスであればそのまま絶対パスのまま文字列として返却を行い、 -/// 相対パスであれば、カレントディレクトリとの相対パスの文字列から不要な(./、../)を除外した文字列を返却する関数 -pub fn get_output_str_path(option_path: &Path, target_path: &Path) -> String { - let ret_path = if option_path.is_absolute() - || !OUTPUT_OMIT_REGEX.is_match(target_path.to_str().unwrap()) - { - target_path.canonicalize().unwrap().display().to_string() - } else { - let diff_path_result = diff_paths(target_path, &env::current_dir().unwrap()); - if let Some(diff_path) = diff_path_result { - diff_path.display().to_string() - } else { - target_path.display().to_string() - } - }; - OUTPUT_OMIT_REGEX.replace_all(&ret_path, "").to_string() -} - #[cfg(test)] mod tests { use std::path::Path; use crate::detections::utils::{ - self, check_setting_path, get_output_str_path, make_ascii_titlecase, + self, check_setting_path, make_ascii_titlecase, }; use regex::Regex; use serde_json::Value; @@ -607,14 +581,4 @@ mod tests { "fake" ); } - - #[test] - /// 与えられた相対パスから不要な表記("./", "../")削除を確認するテスト - fn test_get_output_relative_path() { - let exist_path = Path::new("./test_files/rules/yaml/1.yml").to_path_buf(); - assert_eq!( - get_output_str_path(Path::new("."), &exist_path), - "test_files/rules/yaml/1.yml" - ); - } } From 058537d93d1ddbd9d88511f1c3df6e0243b11d0f Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Tue, 19 Jul 2022 22:22:18 +0900 Subject: [PATCH 18/22] removed unused crate #623 --- Cargo.lock | 7 ------- Cargo.toml | 1 - 2 files changed, 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5993f48a..9cb5111c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -731,7 +731,6 @@ dependencies = [ "lock_api", "num_cpus", "openssl", - "pathdiff", "pbr", "prettytable-rs", "quick-xml", @@ -1247,12 +1246,6 @@ dependencies = [ "windows-sys", ] -[[package]] -name = "pathdiff" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" - [[package]] name = "pbr" version = "1.0.4" diff --git a/Cargo.toml b/Cargo.toml index e64942a6..9be76e07 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -37,7 +37,6 @@ bytesize = "1.*" hyper = "0.14.*" lock_api = "0.4.*" crossbeam-utils = "0.8.*" -pathdiff = "*" [target.'cfg(windows)'.dependencies] is_elevated = "0.1.*" From bed2656c5c00afaeb2eee77a121e36c59ff3016d Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Tue, 19 Jul 2022 22:22:49 +0900 Subject: [PATCH 19/22] cargo fmt --- src/afterfact.rs | 6 +++++- src/detections/detection.rs | 2 +- src/detections/utils.rs | 4 +--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 3d2d25bc..3714b088 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -319,7 +319,11 @@ fn emit_csv( details: &detect_info.detail, record_information: detect_info.record_information.as_deref(), file_path: &detect_info.filepath, - rule_file: Path::new(&detect_info.rulepath).file_name().unwrap().to_str().unwrap(), + rule_file: Path::new(&detect_info.rulepath) + .file_name() + .unwrap() + .to_str() + .unwrap(), record_i_d: detect_info.record_id.as_deref(), })?; } diff --git a/src/detections/detection.rs b/src/detections/detection.rs index c5e6ff47..91fd7f02 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -22,7 +22,7 @@ use hashbrown; use hashbrown::HashMap; use serde_json::Value; use std::fmt::Write; -use std::path::{Path}; +use std::path::Path; use std::sync::Arc; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 5a0282aa..1dec5959 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -390,9 +390,7 @@ pub fn check_setting_path(base_path: &Path, path: &str) -> PathBuf { mod tests { use std::path::Path; - use crate::detections::utils::{ - self, check_setting_path, make_ascii_titlecase, - }; + use crate::detections::utils::{self, check_setting_path, make_ascii_titlecase}; use regex::Regex; use serde_json::Value; From fe102e6d2398ebcfcfdbb10986cdef7fc836a384 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Tue, 19 Jul 2022 22:30:43 +0900 Subject: [PATCH 20/22] updated changelog #623 --- CHANGELOG-Japanese.md | 6 +----- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index cd672006..3e472a16 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -2,15 +2,11 @@ ## v1.4.2 [2022/07/XX] -**新機能:** - -- XXX - **改善:** - `--update-rules` オプションを利用する時に、更新対象のレポジトリを`--rules`オプションで指定できるようにした。 (#615) (@hitenkoku) - 並列処理の改善による高速化。 (#479) (@kazuminn) -- ファイルへの出力時にRulePathとFilePathにおける相対パスの`./`、 `../`の出力を省略した。 `--rules`の値が相対パスの時に出力を省略する。 (#623) (@hitenkoku) +- `--output`オプションを利用したときのRulePathをRuleFileに変更した。RuleFileは出力するファイルの容量を低減させるためにファイル名のみを出力するようにした。 (#623) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 0406366f..8853df37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ - You can now update rules to a custom directory by combining the `--update-rules` and `--rules` options. (#615) (@hitenkoku) - Improved speed with parallel processing by up to 20% with large files. (#479) (@kazuminn) -- The `.yml` rule path (RulePath) saved with `-o` now outputs just the relative directory instead of the absolute directory to decrease memory usage and file size. (#623) (@hitenkoku) +- The `.yml` rule path (changed from RulePath to RuleFile) saved with `-o` now outputs to decrease memory usage and file size. (#623) (@hitenkoku) **Bug Fixes:** From 3312572bb890962218affbee5150f28ba6c1d057 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 20 Jul 2022 03:56:08 +0900 Subject: [PATCH 21/22] update readme EvtxFile --- Cargo.lock | 4 ++-- README-Japanese.md | 4 ++-- README.md | 4 ++-- src/afterfact.rs | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9cb5111c..22da4f7d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -133,9 +133,9 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" [[package]] name = "bytes" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8" +checksum = "f0b3de4a0c5e67e16066a0715723abd91edc2f9001d09c46e1dca929351e130e" [[package]] name = "bytesize" diff --git a/README-Japanese.md b/README-Japanese.md index 2e8470fc..b0ea5a95 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -512,8 +512,8 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) CSVファイルとして保存する場合、以下の列が追加されます: * `MitreAttack`: MITRE ATT&CKの戦術。 -* `Rule Path`: アラートまたはイベントを生成した検知ルールへのパス。 -* `File Path`: アラートまたはイベントを起こしたevtxファイルへのパス。 +* `RuleFile`: アラートまたはイベントを生成した検知ルールのファイル名。 +* `EvtxFile`: アラートまたはイベントを起こしたevtxファイルへのパス。 `-F`もしくは`--full-data`オプションを指定した場合、全てのフィールド情報が`RecordInformation`カラムにで出力されます。 diff --git a/README.md b/README.md index 1e26a122..44b9753c 100644 --- a/README.md +++ b/README.md @@ -509,8 +509,8 @@ When hayabusa output is being displayed to the screen (the default), it will dis The following additional columns will be added to the output when saving to a CSV file: * `MitreAttack`: MITRE ATT&CK tactics. -* `Rule Path`: The path to the detection rule that generated the alert or event. -* `File Path`: The path to the evtx file that caused the alert or event. +* `RuleFile`: The filename of the detection rule that generated the alert or event. +* `EvtxFile`: The path to the evtx file that caused the alert or event. If you add the `-F` or `--full-data` option, a `RecordInformation` column with all field information will also be added. diff --git a/src/afterfact.rs b/src/afterfact.rs index 3714b088..1e5691bb 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -787,7 +787,7 @@ mod tests { .unwrap(); let expect_tz = expect_time.with_timezone(&Local); let expect = - "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RuleFile,FilePath\n" + "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RuleFile,EvtxFile\n" .to_string() + &expect_tz .clone() From 2f8bb69055fa15ef10f66291062e00fb0bc4f95c Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 23 Jul 2022 21:49:14 +0900 Subject: [PATCH 22/22] fixed error --- src/afterfact.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 1e5691bb..9c36de16 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -42,7 +42,7 @@ pub struct CsvFormat<'a> { #[serde(skip_serializing_if = "Option::is_none")] record_information: Option<&'a str>, rule_file: &'a str, - file_path: &'a str, + evtx_file: &'a str, } #[derive(Debug, Serialize)] @@ -318,7 +318,7 @@ fn emit_csv( rule_title: &detect_info.alert, details: &detect_info.detail, record_information: detect_info.record_information.as_deref(), - file_path: &detect_info.filepath, + evtx_file: &detect_info.filepath, rule_file: Path::new(&detect_info.rulepath) .file_name() .unwrap()