CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/output read rule directory#201 (#221)

Browse Source 
* fixed filepath evtx extension #162

* added rules option to config usage #201

* fixed filepath evtx extension rule #162

* added rules directory read feature #201

* added test case #201

* fixed usage set #201

* removed all check rule #201

* fixed rule read function data #201
This commit is contained in:
DustInDark
2021-11-20 14:01:50 +09:00
committed by GitHub
parent 0b85a280f0
commit 86321a4502
5 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/afterfact.rs
View File

@@ -170,7 +170,7 @@ fn test_emit_csv() {
+ "," + ","
+ testrulepath + testrulepath
+ "," + ","
+ &testfilepath.replace(".evtx", "").to_string() + &testfilepath.to_string()
+ "\n"; + "\n";
let mut file: Box<dyn io::Write> = let mut file: Box<dyn io::Write> =

1
src/detections/configs.rs
View File

@@ -52,6 +52,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
--verbose 'Output check information to target event file path and rule file.' --verbose 'Output check information to target event file path and rule file.'
-r --rules=[RULEDIRECTORY] 'using target of rule file directory'
-L --level=[LEVEL] 'Specified execute rule level(default: LOW)' -L --level=[LEVEL] 'Specified execute rule level(default: LOW)'
-u --utc 'Output time in UTC format(default: local time)' -u --utc 'Output time in UTC format(default: local time)'
-d --directory=[DIRECTORY] 'Event log files directory' -d --directory=[DIRECTORY] 'Event log files directory'

12
src/detections/detection.rs
View File

@@ -47,10 +47,10 @@ impl Detection {
} }
// ルールファイルをパースします。 // ルールファイルをパースします。
pub fn parse_rule_files(level: String) -> Vec<RuleNode> { pub fn parse_rule_files(level: String, rulespath: Option<&str>) -> Vec<RuleNode> {
// ルールファイルのパースを実行 // ルールファイルのパースを実行
let mut rulefile_loader = ParseYaml::new(); let mut rulefile_loader = ParseYaml::new();
let result_readdir = rulefile_loader.read_dir(DIRPATH_RULES, &level); let result_readdir = rulefile_loader.read_dir(rulespath.unwrap_or(DIRPATH_RULES), &level);
if result_readdir.is_err() { if result_readdir.is_err() {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut std::io::stderr().lock(),
@@ -202,3 +202,11 @@ impl Detection {
return ret; return ret;
} }
} }
#[test]
fn test_parse_rule_files() {
let level = "INFO";
let opt_rule_path = Some("./test_files/rules/level_yaml");
let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path);
assert_eq!(5, cole.len());
}

2
src/detections/print.rs
View File

@@ -51,7 +51,7 @@ impl Message {
event_detail: String, event_detail: String,
) { ) {
let detect_info = DetectInfo { let detect_info = DetectInfo {
filepath: target_file.replace(".evtx", ""), filepath: target_file,
rulepath: rule_path, rulepath: rule_path,
level: level, level: level,
computername: computername, computername: computername,

5
src/main.rs
View File

@@ -114,7 +114,10 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
.value_of("level") .value_of("level")
.unwrap_or("INFO") .unwrap_or("INFO")
.to_uppercase(); .to_uppercase();
let rule_files = detection::Detection::parse_rule_files(level); let rule_files = detection::Detection::parse_rule_files(
level,
configs::CONFIG.read().unwrap().args.value_of("rules"),
);
let mut detection = detection::Detection::new(rule_files); let mut detection = detection::Detection::new(rule_files);
for evtx_file in evtx_files { for evtx_file in evtx_files {
if configs::CONFIG.read().unwrap().args.is_present("verbose") { if configs::CONFIG.read().unwrap().args.is_present("verbose") {