CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #59 from YamatoSecurity/feature/issue#57

Browse Source 
Feature/issue#57
This commit is contained in:
ichiichi
2021-02-27 11:15:29 +09:00
committed by GitHub
parent 382a48edfc 4f42e21529
commit 7f99dadcb4
3 changed files with 13 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/afterfact.rs
View File

@@ -85,14 +85,12 @@ fn test_emit_csv() {
"CommandLine": "hoge" "CommandLine": "hoge"
}, },
"System": { "System": {
"TimeCreated": { "TimeCreated_attributes": {
"#attributes":{
"SystemTime": "1996-02-27T01:05:01Z" "SystemTime": "1996-02-27T01:05:01Z"
} }
} }
} }
} }
}
"##; "##;
let event: Value = serde_json::from_str(val).unwrap(); let event: Value = serde_json::from_str(val).unwrap();
messages.insert(&event, "test".to_string(), "pokepoke".to_string()); messages.insert(&event, "test".to_string(), "pokepoke".to_string());

5
src/detections/detection.rs
View File

@@ -5,7 +5,7 @@ use crate::detections::rule;
use crate::detections::rule::RuleNode; use crate::detections::rule::RuleNode;
use crate::yaml::ParseYaml; use crate::yaml::ParseYaml;
use evtx::err; use evtx::err;
use evtx::{EvtxParser, SerializedEvtxRecord}; use evtx::{EvtxParser, ParserSettings, SerializedEvtxRecord};
use serde_json::{Error, Value}; use serde_json::{Error, Value};
use std::path::PathBuf; use std::path::PathBuf;
@@ -66,6 +66,9 @@ impl Detection {
} }
}) })
.map(|mut cur| { .map(|mut cur| {
let mut parse_config = ParserSettings::default();
parse_config = parse_config.separate_json_attributes(true);
cur = cur.with_configuration(parse_config);
let ret: Vec<err::Result<SerializedEvtxRecord<String>>> = let ret: Vec<err::Result<SerializedEvtxRecord<String>>> =
cur.records_json().collect(); cur.records_json().collect();
return ret; return ret;

15
src/detections/print.rs
View File

@@ -120,8 +120,7 @@ impl Message {
} }
fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> { fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> {
let system_time = let system_time = &event_record["Event"]["System"]["TimeCreated_attributes"]["SystemTime"];
&event_record["Event"]["System"]["TimeCreated"]["#attributes"]["SystemTime"];
let system_time_str = system_time.as_str().unwrap_or(""); let system_time_str = system_time.as_str().unwrap_or("");
if system_time_str.is_empty() { if system_time_str.is_empty() {
return Option::None; return Option::None;
@@ -157,14 +156,12 @@ mod tests {
"CommandLine": "hoge" "CommandLine": "hoge"
}, },
"System": { "System": {
"TimeCreated": { "TimeCreated_attributes": {
"#attributes":{
"SystemTime": "1996-02-27T01:05:01Z" "SystemTime": "1996-02-27T01:05:01Z"
} }
} }
} }
} }
}
"##; "##;
let event_record_1: Value = serde_json::from_str(json_str_1).unwrap(); let event_record_1: Value = serde_json::from_str(json_str_1).unwrap();
message.insert( message.insert(
@@ -180,14 +177,12 @@ mod tests {
"CommandLine": "hoge" "CommandLine": "hoge"
}, },
"System": { "System": {
"TimeCreated": { "TimeCreated_attributes": {
"#attributes":{
"SystemTime": "1996-02-27T01:05:01Z" "SystemTime": "1996-02-27T01:05:01Z"
} }
} }
} }
} }
}
"##; "##;
let event_record_2: Value = serde_json::from_str(json_str_2).unwrap(); let event_record_2: Value = serde_json::from_str(json_str_2).unwrap();
message.insert( message.insert(
@@ -203,14 +198,12 @@ mod tests {
"CommandLine": "hoge" "CommandLine": "hoge"
}, },
"System": { "System": {
"TimeCreated": { "TimeCreated_attributes": {
"#attributes":{
"SystemTime": "2000-01-21T09:06:01Z" "SystemTime": "2000-01-21T09:06:01Z"
} }
} }
} }
} }
}
"##; "##;
let event_record_3: Value = serde_json::from_str(json_str_3).unwrap(); let event_record_3: Value = serde_json::from_str(json_str_3).unwrap();
message.insert( message.insert(