CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' into 165-customize-columns-with-output-profiles

Browse Source
This commit is contained in:
DustInDark
2022-08-03 10:24:20 +09:00
parent 922869fb15 74f8f013e6
commit 5d0bd9ce5a
11 changed files with 244 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
src/detections/rule/matchers.rs
View File

@@ -1286,6 +1286,48 @@ mod tests {
}
}
#[test]
fn test_detect_startswith_case_insensitive() {
// startswithが大文字小文字を区別しないことを確認
let rule_str = r#"
enabled: true
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName|startswith: "ADMINISTRATORS"
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
{
"Event": {
"System": {
"EventID": 4732,
"Channel": "Security"
},
"EventData": {
"TargetUserName": "TestAdministrators"
}
},
"Event_attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
}
}"#;
let mut rule_node = parse_rule_from_str(rule_str);
match serde_json::from_str(record_json_str) {
Ok(record) => {
let keys = detections::rule::get_detection_keys(&rule_node);
let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys);
assert!(!rule_node.select(&recinfo));
}
Err(_rec) => {
panic!("Failed to parse json record.");
}
}
}
#[test]
fn test_detect_endswith1() {
// endswithが正しく検知できることを確認
@@ -1370,6 +1412,48 @@ mod tests {
}
}
#[test]
fn test_detect_endswith_case_insensitive() {
// endswithが大文字小文字を区別せず検知するかを確認するテスト
let rule_str = r#"
enabled: true
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName|endswith: "ADministRATORS"
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
{
"Event": {
"System": {
"EventID": 4732,
"Channel": "Security"
},
"EventData": {
"TargetUserName": "AdministratorsTest"
}
},
"Event_attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
}
}"#;
let mut rule_node = parse_rule_from_str(rule_str);
match serde_json::from_str(record_json_str) {
Ok(record) => {
let keys = detections::rule::get_detection_keys(&rule_node);
let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys);
assert!(!rule_node.select(&recinfo));
}
Err(_rec) => {
panic!("Failed to parse json record.");
}
}
}
#[test]
fn test_detect_contains1() {
// containsが正しく検知できることを確認
@@ -1454,6 +1538,48 @@ mod tests {
}
}
#[test]
fn test_detect_contains_case_insensitive() {
// containsが大文字小文字を区別せずに検知することを確認するテスト
let rule_str = r#"
enabled: true
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName|contains: "ADminIstraTOrS"
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
{
"Event": {
"System": {
"EventID": 4732,
"Channel": "Security"
},
"EventData": {
"TargetUserName": "Testministrators"
}
},
"Event_attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
}
}"#;
let mut rule_node = parse_rule_from_str(rule_str);
match serde_json::from_str(record_json_str) {
Ok(record) => {
let keys = detections::rule::get_detection_keys(&rule_node);
let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys);
assert!(!rule_node.select(&recinfo));
}
Err(_rec) => {
panic!("Failed to parse json record.");
}
}
}
#[test]
fn test_detect_wildcard_multibyte() {
// multi byteの確認

3
src/main.rs
View File

@@ -3,9 +3,6 @@ extern crate downcast_rs;
extern crate serde;
extern crate serde_derive;
#[cfg(target_os = "windows")]
extern crate static_vcruntime;
use bytesize::ByteSize;
use chrono::{DateTime, Datelike, Local};
use evtx::{EvtxParser, ParserSettings};