CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Hotfix/moved rule configs to hayabusa rules repo#409 (#414)

Browse Source 
* fixed target config path #409

* fixed target config file path in test #409

* fixed rules target #409

* Documentation fix, deleted unneeded config files

* added workflow

* changed submodule option

* fixed worksflow to ref submodule

* fixed gitmodules

* fixed workflow

* check code insert

* added update submodules command

* test rules update

* removed test runs

* fixed error

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
This commit is contained in:
DustInDark
2022-02-26 18:19:19 +09:00
committed by GitHub
parent 02b1d7f07c
commit 92c472d451
19 changed files with 39 additions and 515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/detections/configs.rs
View File

@@ -19,7 +19,7 @@ lazy_static! {
return levelmap;
};
pub static ref EVENTKEY_ALIAS: EventKeyAliasConfig =
load_eventkey_alias("config/eventkey_alias.txt");
load_eventkey_alias("./rules/config/eventkey_alias.txt");
}
#[derive(Clone)]

10
src/detections/rule/matchers.rs
View File

@@ -504,8 +504,8 @@ mod tests {
- ホスト アプリケーション
ImagePath:
min_length: 1234321
regexes: ./config/regex/detectlist_suspicous_services.txt
allowlist: ./config/regex/allowlist_legitimate_services.txt
regexes: ./rules/config/regex/detectlist_suspicous_services.txt
allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
falsepositives:
- unknown
level: medium
@@ -1092,7 +1092,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
- allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
@@ -1126,7 +1126,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
- allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
@@ -1160,7 +1160,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
- allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;

4
src/detections/utils.rs
View File

@@ -267,7 +267,7 @@ mod tests {
#[test]
fn test_check_regex() {
let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt")
let regexes = utils::read_txt("./rules/config/regex/detectlist_suspicous_services.txt")
.unwrap()
.into_iter()
.map(|regex_str| Regex::new(&regex_str).unwrap())
@@ -282,7 +282,7 @@ mod tests {
#[test]
fn test_check_allowlist() {
let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\"";
let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt")
let allowlist = utils::read_txt("./rules/config/regex/allowlist_legitimate_services.txt")
.unwrap()
.into_iter()
.map(|allow_str| Regex::new(&allow_str).unwrap())

6
src/filter.rs
View File

@@ -24,7 +24,7 @@ pub struct DataFilterRule {
}
fn load_record_filters() -> HashMap<String, DataFilterRule> {
let file_path = "config/regex/record_data_filter.txt";
let file_path = "./rules/config/regex/record_data_filter.txt";
let read_result = utils::read_csv(file_path);
let mut ret = HashMap::new();
if read_result.is_err() {
@@ -104,10 +104,10 @@ pub fn exclude_ids() -> RuleExclude {
.args
.is_present("enable-noisy-rules")
{
exclude_ids.insert_ids("config/noisy-rules.txt");
exclude_ids.insert_ids("./rules/config/noisy_rules.txt");
};
exclude_ids.insert_ids("config/exclude-rules.txt");
exclude_ids.insert_ids("./rules/config/exclude_rules.txt");
return exclude_ids;
}

1
src/yaml.rs
View File

@@ -67,6 +67,7 @@ impl ParseYaml {
.unwrap()
.push(format!("[ERROR] {}", errmsg));
}
return io::Result::Ok(String::default());
}
let mut yaml_docs = vec![];
if metadata.unwrap().file_type().is_file() {