feature : statusがdeprecatedなルールを読み込まない (#272)

* feature status deprecated exclude * clean * change logic and option name * fix option description
2021-12-14 18:42:23 +09:00
parent 5be79a1806
commit 7a6d264be0
3 changed files with 55 additions and 0 deletions
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -63,6 +63,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
    -s --statistics 'Prints statistics of event IDs'
    -n --show-noisyalerts 'do not exclude noisy rules'
    -t --threadnum=[NUM] 'Thread number (default: optimal number for performance)'
+    --show-deprecated 'do not exclude rules with YAML's status deprecated'
    --contributors 'Prints the list of contributors'";
    App::new(&program)
        .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!")
--- a/src/yaml.rs
+++ b/src/yaml.rs
@@ -152,6 +152,19 @@ impl ParseYaml {
                    }
                }

+                if !configs::CONFIG
+                    .read()
+                    .unwrap()
+                    .args
+                    .is_present("show-deprecated")
+                {
+                    let rule_status = &yaml_doc["status"].as_str();
+                    if rule_status.is_some() && rule_status.unwrap() == "deprecated" {
+                        self.ignorerule_count += 1;
+                        return Option::None;
+                    }
+                }
+
                return Option::Some((filepath, yaml_doc));
            })
            .collect();
@@ -279,4 +292,15 @@ mod tests {
            .unwrap();
        assert_eq!(yaml.ignorerule_count, 0);
    }
+    #[test]
+    fn test_exclude_deprecated_rules_file() {
+        let mut yaml = yaml::ParseYaml::new();
+        let path = Path::new("test_files/rules/deprecated");
+        let exclude_ids = RuleExclude {
+            no_use_rule: HashSet::new(),
+        };
+        yaml.read_dir(path.to_path_buf(), &"", &exclude_ids)
+            .unwrap();
+        assert_eq!(yaml.ignorerule_count, 1);
+    }
 }
--- a/test_files/rules/deprecated/1.yml
+++ b/test_files/rules/deprecated/1.yml
@@ -0,0 +1,30 @@
+title: CreateMiniDump Hacktool
+author: Florian Roth
+date: 2019/12/22
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
+  memory for credential extraction on the attacker's machine
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\lsass.dmp'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: db2110f3-479d-42a6-94fb-d35bc1e46492
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+related:
+- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+  type: derived
+status: deprecated
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+ruletype: SIGMA