Merge branch 'main' into 165-customize-columns-with-output-profiles

2022-07-23 22:34:23 +09:00
parent 1db3b6f0c7 5a12aaf27a
commit 8074963a71
7 changed files with 33 additions and 31 deletions
--- a/CHANGELOG-Japanese.md
+++ b/CHANGELOG-Japanese.md
@@ -2,13 +2,11 @@

 ## v1.4.2 [2022/07/XX]

-**新機能:**
-
- XXX
-
 **改善:**

 - `--update-rules` オプションを利用する時に、更新対象のレポジトリを`--rules`オプションで指定できるようにした。 (#615) (@hitenkoku)
+- 並列処理の改善による高速化。 (#479) (@kazuminn)
+- `--output`オプションを利用したときのRulePathをRuleFileに変更した。RuleFileは出力するファイルの容量を低減させるためにファイル名のみを出力するようにした。 (#623) (@hitenkoku)

 **バグ修正:**

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,17 +2,15 @@

 ## v1.4.2 [2022/07/XX]

-**New Features:**
-
- XXX
-
 **Enhancements:**

- Combining the two options, you can now update rules with `--update-rules` option to a custom rules directory with the `--rules` option. (#615) (@hitenkoku)
+- You can now update rules to a custom directory by combining the `--update-rules` and `--rules` options. (#615) (@hitenkoku)
+- Improved speed with parallel processing by up to 20% with large files. (#479) (@kazuminn)
+- The `.yml` rule path (changed from RulePath to RuleFile) saved with `-o` now outputs to decrease memory usage and file size. (#623) (@hitenkoku)

 **Bug Fixes:**

- Fixed error due to the files in the config folder cannot be read. (#618) (@hitenkoku)
+- Fixed a runtime error when hayabusa is run from a different path than the current directory. (#618) (@hitenkoku)

 ## v1.4.1 [2022/06/30]

--- a/Cargo.lock
+++ b/Cargo.lock
@@ -133,9 +133,9 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"

 [[package]]
 name = "bytes"
-version = "1.1.0"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
+checksum = "f0b3de4a0c5e67e16066a0715723abd91edc2f9001d09c46e1dca929351e130e"

 [[package]]
 name = "bytesize"
@@ -529,7 +529,7 @@ dependencies = [
 [[package]]
 name = "evtx"
 version = "0.7.3"
-source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#7a734d0eb884bba4ce81f1bddbfdb4644c9e74e3"
+source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#8c3a7927d88972424574d1473ada5b76c8e98269"
 dependencies = [
 "anyhow",
 "bitflags",
@@ -697,9 +697,9 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574"

 [[package]]
 name = "hashbrown"
-version = "0.12.2"
+version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "607c8a29735385251a339424dd462993c0fed8fa09d378f259377df08c126022"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
 dependencies = [
 "ahash",
 ]
@@ -1219,9 +1219,9 @@ dependencies = [

 [[package]]
 name = "os_str_bytes"
-version = "6.1.0"
+version = "6.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21326818e99cfe6ce1e524c2a805c189a99b5ae555a35d19f9a284b427d86afa"
+checksum = "648001efe5d5c0102d8cea768e348da85d90af8ba91f0bea908f157951493cd4"

 [[package]]
 name = "parking_lot"
@@ -1977,9 +1977,9 @@ checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992"

 [[package]]
 name = "unicode-ident"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c"
+checksum = "15c61ba63f9235225a22310255a29b806b907c9b8c964bcbd0a2c70f3f2deea7"

 [[package]]
 name = "unicode-normalization"
--- a/README-Japanese.md
+++ b/README-Japanese.md
@@ -512,8 +512,8 @@ Hayabusaの結果を標準出力に表示しているとき（デフォルト）
 CSVファイルとして保存する場合、以下の列が追加されます:

 * `MitreAttack`: MITRE ATT&CKの戦術。
-* `Rule Path`: アラートまたはイベントを生成した検知ルールへのパス。
-* `File Path`: アラートまたはイベントを起こしたevtxファイルへのパス。
+* `RuleFile`: アラートまたはイベントを生成した検知ルールのファイル名。
+* `EvtxFile`: アラートまたはイベントを起こしたevtxファイルへのパス。

 `-F`もしくは`--full-data`オプションを指定した場合、全てのフィールド情報が`RecordInformation`カラムにで出力されます。

--- a/README.md
+++ b/README.md
@@ -509,8 +509,8 @@ When hayabusa output is being displayed to the screen (the default), it will dis
 The following additional columns will be added to the output when saving to a CSV file:

 * `MitreAttack`: MITRE ATT&CK tactics.
-* `Rule Path`: The path to the detection rule that generated the alert or event.
-* `File Path`: The path to the evtx file that caused the alert or event.
+* `RuleFile`: The filename of the detection rule that generated the alert or event.
+* `EvtxFile`: The path to the evtx file that caused the alert or event.

 If you add the `-F` or `--full-data` option, a `RecordInformation` column with all field information will also be added.

--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -21,6 +21,7 @@ use std::fs::File;
 use std::io;
 use std::io::BufWriter;
 use std::io::Write;
+use std::path::Path;
 use std::process;
 use termcolor::{BufferWriter, Color, ColorChoice, ColorSpec, WriteColor};
 use terminal_size::Width;
@@ -40,8 +41,8 @@ pub struct CsvFormat<'a> {
    details: &'a str,
    #[serde(skip_serializing_if = "Option::is_none")]
    record_information: Option<&'a str>,
-    rule_path: &'a str,
-    file_path: &'a str,
+    rule_file: &'a str,
+    evtx_file: &'a str,
 }

 #[derive(Debug, Serialize)]
@@ -317,8 +318,12 @@ fn emit_csv<W: std::io::Write>(
                    rule_title: &detect_info.alert,
                    details: &detect_info.detail,
                    record_information: detect_info.record_information.as_deref(),
-                    file_path: &detect_info.filepath,
-                    rule_path: &detect_info.rulepath,
+                    evtx_file: &detect_info.filepath,
+                    rule_file: Path::new(&detect_info.rulepath)
+                        .file_name()
+                        .unwrap()
+                        .to_str()
+                        .unwrap(),
                    record_i_d: detect_info.record_id.as_deref(),
                })?;
            }
@@ -782,7 +787,7 @@ mod tests {
            .unwrap();
        let expect_tz = expect_time.with_timezone(&Local);
        let expect =
-            "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RulePath,FilePath\n"
+            "Timestamp,Computer,Channel,EventID,Level,MitreAttack,RecordID,RuleTitle,Details,RecordInformation,RuleFile,EvtxFile\n"
                .to_string()
                + &expect_tz
                    .clone()
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -23,6 +23,7 @@ use hashbrown::HashMap;
 use serde_json::Value;
 use std::fmt::Write;
 use std::path::Path;
+
 use std::sync::Arc;
 use tokio::{runtime::Runtime, spawn, task::JoinHandle};

@@ -253,10 +254,9 @@ impl Detection {
        } else {
            None
        };
-
        let detect_info = DetectInfo {
            filepath: record_info.evtx_filepath.to_string(),
-            rulepath: rule.rulepath.to_string(),
+            rulepath: (&rule.rulepath).to_owned(),
            level: rule.yaml["level"].as_str().unwrap_or("-").to_string(),
            computername: record_info.record["Event"]["System"]["Computer"]
                .to_string()
@@ -299,9 +299,10 @@ impl Detection {
        } else {
            None
        };
+
        let detect_info = DetectInfo {
            filepath: "-".to_owned(),
-            rulepath: rule.rulepath.to_owned(),
+            rulepath: (&rule.rulepath).to_owned(),
            level: rule.yaml["level"].as_str().unwrap_or("").to_owned(),
            computername: "-".to_owned(),
            eventid: "-".to_owned(),