add 7040,104 and refactor
This commit is contained in:
Kazuminn
@@ -18,11 +18,11 @@ impl Application {
|
|||||||
event_data: HashMap<String, String>,
|
event_data: HashMap<String, String>,
|
||||||
) {
|
) {
|
||||||
if event_id == "2" {
|
if event_id == "2" {
|
||||||
&self.emet(system, event_data);
|
&self.emet(system);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn emet(&mut self, system: &event::System, event_data: HashMap<String, String>) {
|
fn emet(&mut self, system: &event::System) {
|
||||||
match &system.provider.name {
|
match &system.provider.name {
|
||||||
Some(name) => {
|
Some(name) => {
|
||||||
if (name != "EMET") {
|
if (name != "EMET") {
|
||||||
|
|||||||
@@ -41,7 +41,7 @@ impl Detection {
|
|||||||
if channel == "Security" {
|
if channel == "Security" {
|
||||||
&security.detection(event_id, &event.system, event_data);
|
&security.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "System" {
|
} else if channel == "System" {
|
||||||
&system.detection();
|
&system.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "Application" {
|
} else if channel == "Application" {
|
||||||
&application.detection(event_id, &event.system, event_data);
|
&application.detection(event_id, &event.system, event_data);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@@ -1,3 +1,6 @@
|
|||||||
|
use crate::models::event;
|
||||||
|
use std::collections::HashMap;
|
||||||
|
|
||||||
pub struct System {}
|
pub struct System {}
|
||||||
|
|
||||||
impl System {
|
impl System {
|
||||||
@@ -5,5 +8,44 @@ impl System {
|
|||||||
System {}
|
System {}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn detection(&self) {}
|
pub fn detection(
|
||||||
|
&mut self,
|
||||||
|
event_id: String,
|
||||||
|
system: &event::System,
|
||||||
|
event_data: HashMap<String, String>,
|
||||||
|
) {
|
||||||
|
if event_id == "104" {
|
||||||
|
&self.system_log_clear();
|
||||||
|
} else if event_id == "7040" {
|
||||||
|
&self.windows_event_log(event_data);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn system_log_clear(&mut self) {
|
||||||
|
println!("Message : System Log Clear");
|
||||||
|
println!("Results : The System log was cleared.");
|
||||||
|
}
|
||||||
|
|
||||||
|
fn windows_event_log(&mut self, event_data: HashMap<String, String>) {
|
||||||
|
match event_data.get("param1") {
|
||||||
|
Some(_data) => {
|
||||||
|
if _data == "Windows Event Log" {
|
||||||
|
println!("Service name : {}", _data);
|
||||||
|
match event_data.get("param2") {
|
||||||
|
Some(_data) => {
|
||||||
|
if _data == "disabled" {
|
||||||
|
println!("Message : Event Log Service Stopped");
|
||||||
|
println!("Results : Selective event log manipulation may follow this event.");
|
||||||
|
} else if _data == "auto start" {
|
||||||
|
println!("Message : Event Log Service Started");
|
||||||
|
println!("Results : Selective event log manipulation may precede this event.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
None => (),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
None => (),
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user