add 7040,104 and refactor

2020-09-29 15:14:37 +09:00
parent a542406ee5
commit 9110801b0d
3 changed files with 46 additions and 4 deletions
--- a/src/detections/application.rs
+++ b/src/detections/application.rs
@@ -18,11 +18,11 @@ impl Application {
        event_data: HashMap<String, String>,
    ) {
        if event_id == "2" {
-            &self.emet(system, event_data);
+            &self.emet(system);
        }
    }

-    fn emet(&mut self, system: &event::System, event_data: HashMap<String, String>) {
+    fn emet(&mut self, system: &event::System) {
        match &system.provider.name {
            Some(name) => {
                if (name != "EMET") {
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -41,7 +41,7 @@ impl Detection {
                    if channel == "Security" {
                        &security.detection(event_id, &event.system, event_data);
                    } else if channel == "System" {
-                        &system.detection();
+                        &system.detection(event_id, &event.system, event_data);
                    } else if channel == "Application" {
                        &application.detection(event_id, &event.system, event_data);
                    } else {
--- a/src/detections/system.rs
+++ b/src/detections/system.rs
@@ -1,3 +1,6 @@
+use crate::models::event;
+use std::collections::HashMap;
+
 pub struct System {}

 impl System {
@@ -5,5 +8,44 @@ impl System {
        System {}
    }

-    pub fn detection(&self) {}
+    pub fn detection(
+        &mut self,
+        event_id: String,
+        system: &event::System,
+        event_data: HashMap<String, String>,
+    ) {
+        if event_id == "104" {
+            &self.system_log_clear();
+        } else if event_id == "7040" {
+            &self.windows_event_log(event_data);
+        }
+    }
+
+    fn system_log_clear(&mut self) {
+        println!("Message : System Log Clear");
+        println!("Results : The System log was cleared.");
+    }
+
+    fn windows_event_log(&mut self, event_data: HashMap<String, String>) {
+        match event_data.get("param1") {
+            Some(_data) => {
+                if _data == "Windows Event Log" {
+                    println!("Service name : {}", _data);
+                    match event_data.get("param2") {
+                        Some(_data) => {
+                            if _data == "disabled" {
+                                println!("Message : Event Log Service Stopped");
+                                println!("Results : Selective event log manipulation may follow this event.");
+                            } else if _data == "auto start" {
+                                println!("Message : Event Log Service Started");
+                                println!("Results : Selective event log manipulation may precede this event.");
+                            }
+                        }
+                        None => (),
+                    }
+                }
+            }
+            None => (),
+        }
+    }
 }