diff --git a/Cargo.toml b/Cargo.toml index fd190183..04818b2c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,3 +12,4 @@ quick-xml = {version = "0.17", features = ["serialize"] } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0"} clap = "*" +regex = "1" diff --git a/src/detections/application.rs b/src/detections/application.rs index 7676faab..9622b359 100644 --- a/src/detections/application.rs +++ b/src/detections/application.rs @@ -1,15 +1,51 @@ +extern crate regex; -pub struct Application { - -} +use crate::models::event; +use regex::Regex; +use std::collections::HashMap; + +pub struct Application {} impl Application { - pub fn new() -> Application { - Application{} + Application {} } - pub fn detection(&self) { + pub fn detection( + &mut self, + event_id: String, + system: &event::System, + event_data: HashMap, + ) { + let _emet = String::from("EMET"); + if event_id == "2" { + match &system.provider.name { + Some(_emet) => { + &self.emet(system, event_data); + } + None => (), + } + } + } + fn emet(&mut self, system: &event::System, event_data: HashMap) { + match &system.message { + Some(message) => { + let message_split: Vec<&str> = message.split("\n").collect(); + let text = message_split[0]; + let application = message_split[3]; + let re = Regex::new(r"^Application: ").unwrap(); + let command = re.replace_all(application, ""); + let username = message_split[4]; + + println!("Message EMET Block"); + println!("Command {}", command); + println!("Results {}", text); + println!("Results {}", username); + } + None => { + println!("Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"); + } + } } } diff --git a/src/models/event.rs b/src/models/event.rs index 65afe514..2a06e6bd 100644 --- a/src/models/event.rs +++ b/src/models/event.rs @@ -25,9 +25,9 @@ struct Execution { } #[derive(Debug, Deserialize, PartialEq)] -struct Provider { +pub struct Provider { #[serde(rename = "Name")] - name: Option, + pub name: Option, #[serde(rename = "Guid")] guid: Option, } @@ -35,7 +35,7 @@ struct Provider { #[derive(Debug, Deserialize, PartialEq)] pub struct System { #[serde(rename = "Provider")] - provider: Provider, + pub provider: Provider, #[serde(rename = "EventID")] pub event_id: String, #[serde(rename = "Version")] @@ -62,6 +62,8 @@ pub struct System { computer: String, #[serde(rename = "Security")] security: String, + #[serde(rename = "Message")] + pub message: Option, } #[derive(Debug, Deserialize, PartialEq)] @@ -79,44 +81,41 @@ pub struct Evtx { } impl Evtx { - // // 文字列データを取得する // fn get_string(v: &Data) -> String { - match &v.text { Some(text) => { return text.to_string(); - }, + } _ => return "".to_string(), } } - + // // EventDataをHashMapとして取得する // - pub fn parse_event_data(&self) -> HashMap { + pub fn parse_event_data(&self) -> HashMap { let mut values = HashMap::new(); - + match &self.event_data { - Some(event_data) => - match &event_data.data { - Some(data) => { - for v in data.iter() { - match &v.name { - Some(name) => { - values.insert(name.to_string(), Evtx::get_string(v)); - }, - None => (), + Some(event_data) => match &event_data.data { + Some(data) => { + for v in data.iter() { + match &v.name { + Some(name) => { + values.insert(name.to_string(), Evtx::get_string(v)); } + None => (), } - }, - None => (), - }, + } + } + None => (), + }, None => (), } - + values } }