diff --git a/src/afterfact.rs b/src/afterfact.rs index 362c7a81..fd30f2e5 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -1,6 +1,6 @@ use crate::detections::configs; use crate::detections::print; -use chrono::{DateTime, TimeZone, Utc}; +use chrono::Local; use serde::Serialize; use std::error::Error; use std::fs::File; @@ -10,7 +10,7 @@ use std::process; #[derive(Debug, Serialize)] #[serde(rename_all = "PascalCase")] pub struct CsvFormat<'a> { - time: DateTime, + time: &'a str, message: &'a str, } @@ -39,9 +39,24 @@ fn emit_csv(writer: &mut Box) -> Result<(), Box> { let messages = print::MESSAGES.lock().unwrap(); for (time, texts) in messages.iter() { + let formated_time = if configs::singleton().args.is_present("utc") { + if configs::singleton().args.is_present("rfc-2822") { + time.to_rfc2822() + } else { + time.to_rfc3339() + } + } else { + let time_local = time.with_timezone(&Local); + if configs::singleton().args.is_present("rfc-2822") { + time_local.to_rfc2822() + } else { + time_local.to_rfc3339() + } + }; + for text in texts { wtr.serialize(CsvFormat { - time: *time, + time: &formated_time, message: text, })?; } @@ -78,8 +93,7 @@ fn test_emit_csv() { } let expect = "Time,Message -1996-02-27T01:05:01Z,pokepoke -"; +1996-02-2"; let mut file: Box = Box::new(File::create("./test_emit_csv.csv".to_string()).unwrap()); @@ -87,7 +101,9 @@ fn test_emit_csv() { match read_to_string("./test_emit_csv.csv") { Err(_) => panic!("Failed to open file"), - Ok(s) => assert_eq!(s, expect), + Ok(s) => { + assert_eq!(&s[0..22], expect); + } }; assert!(remove_file("./test_emit_csv.csv").is_ok()); diff --git a/src/detections/configs.rs b/src/detections/configs.rs index d4879f12..ef7f1d70 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -45,11 +45,11 @@ fn build_app() -> clap::App<'static, 'static> { .arg(Arg::from_usage("--attackhunt=[ATTACK_HUNT] 'Attack Hunt'")) .arg(Arg::from_usage("--csv-timeline=[CSV_TIMELINE] 'csv output timeline'")) .arg(Arg::from_usage("--human-readable-timeline=[HUMAN_READABLE_TIMELINE] 'human readable timeline'")) + .arg(Arg::from_usage("--rfc-2822 'output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'")) .arg(Arg::from_usage("-l --lang=[LANG] 'output language'")) - .arg(Arg::from_usage("-t --timezone=[TIMEZONE] 'timezone setting'")) + .arg(Arg::from_usage("-u --utc 'output time in UTC format(default: local time)'")) .arg(Arg::from_usage("-d --directory 'event log files directory'")) .arg(Arg::from_usage("-s --statistics 'event statistics'")) - .arg(Arg::from_usage("-u --update 'signature update'")) .arg(Arg::from_usage("--credits 'Zachary Mathis, Akira Nishikawa'")) } diff --git a/src/detections/detection.rs b/src/detections/detection.rs index e5d215ad..b24c3ccf 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -6,7 +6,6 @@ use crate::detections::rule; use crate::detections::rule::RuleNode; use crate::yaml::ParseYaml; -use chrono::{DateTime, FixedOffset, TimeZone, Utc}; use evtx::EvtxParser; use serde_json::{Error, Value}; diff --git a/src/main.rs b/src/main.rs index 0a66e2e7..82e5cb61 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,6 +1,4 @@ extern crate serde; -#[macro_use] -extern crate serde_derive; use evtx::EvtxParser; use quick_xml::de::DeError;