diff --git a/src/afterfact.rs b/src/afterfact.rs index 9ab837e5..15fd0fdf 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -170,7 +170,7 @@ fn test_emit_csv() { + "," + testrulepath + "," - + &testfilepath.replace(".evtx", "").to_string() + + &testfilepath.to_string() + "\n"; let mut file: Box = diff --git a/src/detections/configs.rs b/src/detections/configs.rs index eb41aa28..248f1bcb 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -52,6 +52,7 @@ fn build_app<'a>() -> ArgMatches<'a> { --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' --verbose 'Output check information to target event file path and rule file.' + -r --rules=[RULEDIRECTORY] 'using target of rule file directory' -L --level=[LEVEL] 'Specified execute rule level(default: LOW)' -u --utc 'Output time in UTC format(default: local time)' -d --directory=[DIRECTORY] 'Event log files directory' diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 771f1f21..d6ab5583 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -47,10 +47,10 @@ impl Detection { } // ルールファイルをパースします。 - pub fn parse_rule_files(level: String) -> Vec { + pub fn parse_rule_files(level: String, rulespath: Option<&str>) -> Vec { // ルールファイルのパースを実行 let mut rulefile_loader = ParseYaml::new(); - let result_readdir = rulefile_loader.read_dir(DIRPATH_RULES, &level); + let result_readdir = rulefile_loader.read_dir(rulespath.unwrap_or(DIRPATH_RULES), &level); if result_readdir.is_err() { AlertMessage::alert( &mut std::io::stderr().lock(), @@ -202,3 +202,11 @@ impl Detection { return ret; } } + +#[test] +fn test_parse_rule_files() { + let level = "INFO"; + let opt_rule_path = Some("./test_files/rules/level_yaml"); + let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path); + assert_eq!(5, cole.len()); +} diff --git a/src/detections/print.rs b/src/detections/print.rs index 64300316..708f183f 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -51,7 +51,7 @@ impl Message { event_detail: String, ) { let detect_info = DetectInfo { - filepath: target_file.replace(".evtx", ""), + filepath: target_file, rulepath: rule_path, level: level, computername: computername, diff --git a/src/main.rs b/src/main.rs index e727a879..0fde7241 100644 --- a/src/main.rs +++ b/src/main.rs @@ -114,7 +114,10 @@ fn analysis_files(evtx_files: Vec) { .value_of("level") .unwrap_or("INFO") .to_uppercase(); - let rule_files = detection::Detection::parse_rule_files(level); + let rule_files = detection::Detection::parse_rule_files( + level, + configs::CONFIG.read().unwrap().args.value_of("rules"), + ); let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { if configs::CONFIG.read().unwrap().args.is_present("verbose") {