diff --git a/doc/AboutRuleCreation-English.md b/doc/AboutRuleCreation-English.md index 754aca09..e391c336 100644 --- a/doc/AboutRuleCreation-English.md +++ b/doc/AboutRuleCreation-English.md @@ -27,7 +27,7 @@ updated_date: 2020/11/8 * author [optional]: The name of the person or persons who created the logic for the rule. * detection [required]: The detection logic goes here. * falsepositives [optional]: The possibilities for false positives. For example: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`. If it is unknown, write `unknown`. -* level [optional]: Risk level. Please write one of the following: `info`,`low`,`medium`,`high`,`critical` +* level [optional]: Risk level. Please write one of the following: `informational`,`low`,`medium`,`high`,`critical` * output [required]: The details of the alert. (Please output any and only useful fields in the Windows event log for easy analysis.) * creation_date [optional]: The creation date. * updated_date [optional]: The date of the last revision. diff --git a/doc/AboutRuleCreation-Japanese.md b/doc/AboutRuleCreation-Japanese.md index acdaec18..0bc0f95b 100644 --- a/doc/AboutRuleCreation-Japanese.md +++ b/doc/AboutRuleCreation-Japanese.md @@ -27,7 +27,7 @@ updated_date: 2020/11/8 * author [optional]: ルールファイルの作者を入力します。 * detection [required]: 検知ルールを入力します。 * falsepositives [optional]: 誤検知に関する情報を入力します。例:unknown、system administrator、normal user usage、normal system usage、legacy application、security team等々。 -* level [optional]: リスクレベルを入力します。指定する値は`info`,`low`,`medium`,`high`,`critical`のいづれかです。 +* level [optional]: リスクレベルを入力します。指定する値は`informational`,`low`,`medium`,`high`,`critical`のいづれかです。 * output [required]: イベントログが検知した場合に表示されるメッセージを入力します。 * creation_date [optional]: ルールファイルの作成日を入力します。 * updated_date [optional]: ルールファイルの更新日を入力します。 diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 02499876..c37a41e3 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -7,7 +7,7 @@ lazy_static! { pub static ref CONFIG: RwLock = RwLock::new(ConfigReader::new()); pub static ref LEVELMAP: HashMap = { let mut levelmap = HashMap::new(); - levelmap.insert("INFO".to_owned(), 1); + levelmap.insert("INFORMATIONAL".to_owned(), 1); levelmap.insert("LOW".to_owned(), 2); levelmap.insert("MEDIUM".to_owned(), 3); levelmap.insert("HIGH".to_owned(), 4); @@ -54,7 +54,7 @@ fn build_app<'a>() -> ArgMatches<'a> { --verbose 'Output verbose information to target event file path and rule file' -q 'Quiet mode. Do not display the launch banner' -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' - -L --level=[LEVEL] 'Minimum level for rules (default: low)' + -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)' -u --utc 'Output time in UTC format (default: local time)' -d --directory=[DIRECTORY] 'Directory of multiple .evtx files' -s --statistics 'Prints statistics of event IDs' diff --git a/src/detections/detection.rs b/src/detections/detection.rs index b6233769..b103a742 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -145,8 +145,15 @@ impl Detection { pub fn print_unique_results(&self) { let rules = &self.rules; - let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undefined"]); - // levels are [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] + let levellabel = Vec::from([ + "Critical", + "High", + "Medium", + "Low", + "Informational", + "Undeifned", + ]); + // levclcounts is [(Undeifned), (Informational), (Low),(Medium),(High),(Critical)] let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); for rule in rules.into_iter() { if rule.check_exist_countdata() { @@ -258,7 +265,7 @@ impl Detection { #[test] fn test_parse_rule_files() { - let level = "INFO"; + let level = "informational"; let opt_rule_path = Some("./test_files/rules/level_yaml"); let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path); assert_eq!(5, cole.len()); diff --git a/src/main.rs b/src/main.rs index 6b6b34c0..0eb19097 100644 --- a/src/main.rs +++ b/src/main.rs @@ -116,7 +116,7 @@ fn analysis_files(evtx_files: Vec) { .unwrap() .args .value_of("level") - .unwrap_or("INFO") + .unwrap_or("informational") .to_uppercase(); println!("Analyzing event files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( diff --git a/src/yaml.rs b/src/yaml.rs index b0ef5065..075cafee 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -121,11 +121,11 @@ impl ParseYaml { // 指定されたレベルより低いルールは無視する let doc_level = &yaml_doc["level"] .as_str() - .unwrap_or("LOW") + .unwrap_or("informational") .to_string() .to_uppercase(); - let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&2); - let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&2); + let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&1); + let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&1); if doc_level_num < args_level_num { return Option::None; } @@ -179,19 +179,19 @@ mod tests { } #[test] - /// no specifed "level" arguments value is adapted default level(LOW) + /// no specifed "level" arguments value is adapted default level(informational) fn test_default_level_read_yaml() { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); yaml.read_dir(path.to_path_buf(), &"").unwrap(); - assert_eq!(yaml.files.len(), 4); + assert_eq!(yaml.files.len(), 5); } #[test] fn test_info_level_read_yaml() { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); - yaml.read_dir(path.to_path_buf(), &"INFO").unwrap(); + yaml.read_dir(path.to_path_buf(), &"informational").unwrap(); assert_eq!(yaml.files.len(), 5); } #[test]