CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed logic #301

Browse Source
This commit is contained in:
DustInDark
2021-12-19 16:43:35 +09:00
parent 7f9f2349f2
commit 97b12fc068
5 changed files with 64 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/afterfact.rs
View File

@@ -1,6 +1,7 @@
use crate::detections::configs; use crate::detections::configs;
use crate::detections::print; use crate::detections::print;
use crate::detections::print::AlertMessage; use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_PATH;
use chrono::{DateTime, Local, TimeZone, Utc}; use chrono::{DateTime, Local, TimeZone, Utc};
use serde::Serialize; use serde::Serialize;
use std::error::Error; use std::error::Error;
@@ -36,7 +37,7 @@ pub struct DisplayFormat<'a> {
pub fn after_fact() { pub fn after_fact() {
let fn_emit_csv_err = |err: Box<dyn Error>| { let fn_emit_csv_err = |err: Box<dyn Error>| {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("Failed to write CSV. {}", err), format!("Failed to write CSV. {}", err),
true, true,
) )
@@ -55,7 +56,7 @@ pub fn after_fact() {
Ok(file) => Box::new(BufWriter::new(file)), Ok(file) => Box::new(BufWriter::new(file)),
Err(err) => { Err(err) => {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("Failed to open file. {}", err), format!("Failed to open file. {}", err),
true, true,
) )

5
src/detections/detection.rs
View File

@@ -2,6 +2,7 @@ extern crate csv;
use crate::detections::configs; use crate::detections::configs;
use crate::detections::print::AlertMessage; use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_PATH;
use crate::detections::print::MESSAGES; use crate::detections::print::MESSAGES;
use crate::detections::rule; use crate::detections::rule;
use crate::detections::rule::AggResult; use crate::detections::rule::AggResult;
@@ -12,6 +13,8 @@ use crate::yaml::ParseYaml;
use hashbrown; use hashbrown;
use serde_json::Value; use serde_json::Value;
use std::collections::HashMap; use std::collections::HashMap;
use std::fs::File;
use std::io::BufWriter;
use tokio::{runtime::Runtime, spawn, task::JoinHandle}; use tokio::{runtime::Runtime, spawn, task::JoinHandle};
use std::sync::Arc; use std::sync::Arc;
@@ -59,7 +62,7 @@ impl Detection {
rulefile_loader.read_dir(rulespath.unwrap_or(DIRPATH_RULES), &level, exclude_ids); rulefile_loader.read_dir(rulespath.unwrap_or(DIRPATH_RULES), &level, exclude_ids);
if result_readdir.is_err() { if result_readdir.is_err() {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("{}", result_readdir.unwrap_err()), format!("{}", result_readdir.unwrap_err()),
true, true,
) )

60
src/detections/print.rs
View File

@@ -12,10 +12,10 @@ use std::env;
use std::fs::create_dir; use std::fs::create_dir;
use std::fs::remove_file; use std::fs::remove_file;
use std::fs::File; use std::fs::File;
use std::io::BufWriter; use std::io::BufWriter;
use std::io::{self, Write};
use std::path::Path; use std::path::Path;
use std::io::{self, Write};
use std::sync::Mutex; use std::sync::Mutex;
#[derive(Debug)] #[derive(Debug)]
@@ -43,25 +43,9 @@ lazy_static! {
"./hayabusa-logs/errorlog-{}.log", "./hayabusa-logs/errorlog-{}.log",
Local::now().format("%Y%m%d_%H%M%S") Local::now().format("%Y%m%d_%H%M%S")
); );
pub static ref ERROR_LOG_WRITER: Mutex<BufWriter<File>> =
Mutex::new(get_error_file_writer(ERROR_LOG_PATH.to_string()));
pub static ref ALERT_COUNT_IN_ERROR_LOG: Mutex<Counter> = Mutex::new(Counter::new()); pub static ref ALERT_COUNT_IN_ERROR_LOG: Mutex<Counter> = Mutex::new(Counter::new());
} }
//対象のディレクトリが存在することを確認後、最初の定型文を追加して、ファイルのbufwriterを返す関数
fn get_error_file_writer(path_str: String) -> BufWriter<File> {
let path = Path::new(&path_str);
if !path.parent().unwrap().exists() {
create_dir(path.parent().unwrap()).ok();
}
// 1行目は必ず実行したコマンド情報を入れておく。
let mut ret = BufWriter::new(File::create(path).unwrap());
ret.write(format!("user input: {:?}\n", format_args!("{:?}", env::args())).as_bytes())
.ok();
ret.flush().ok();
return ret;
}
#[derive(Copy, Clone)] #[derive(Copy, Clone)]
/// エラーログに出力したエラー回数を保持した構造体 /// エラーログに出力したエラー回数を保持した構造体
pub struct Counter { pub struct Counter {
@@ -224,14 +208,38 @@ impl Message {
} }
impl AlertMessage { impl AlertMessage {
//対象のディレクトリが存在することを確認後、最初の定型文を追加して、ファイルのbufwriterを返す関数
pub fn create_error_log(path_str: String) {
let path = Path::new(&path_str);
if !path.parent().unwrap().exists() {
create_dir(path.parent().unwrap()).ok();
}
// 1行目は必ず実行したコマンド情報を入れておく。
let mut ret = BufWriter::new(File::create(path).unwrap());
ret.write(
format!(
"user input: {:?}\n",
format_args!(
"{}",
env::args()
.map(|arg| arg)
.collect::<Vec<String>>()
.join(" ")
)
)
.as_bytes(),
)
.unwrap();
ret.flush().ok();
}
/// ERRORメッセージを表示する関数。error_log_flagでfalseの場合は外部へのエラーログの書き込みは行わずに指定されたwを用いた出力のみ行う。trueの場合はwを用いた出力を行わずにエラーログへの出力を行う /// ERRORメッセージを表示する関数。error_log_flagでfalseの場合は外部へのエラーログの書き込みは行わずに指定されたwを用いた出力のみ行う。trueの場合はwを用いた出力を行わずにエラーログへの出力を行う
pub fn alert<W: Write>(w: &mut W, contents: String, error_log_flag: bool) -> io::Result<()> { pub fn alert<W: Write>(w: &mut W, contents: String, error_log_flag: bool) -> io::Result<()> {
if error_log_flag { if error_log_flag {
ALERT_COUNT_IN_ERROR_LOG.lock().unwrap().countup(); ALERT_COUNT_IN_ERROR_LOG.lock().unwrap().countup();
writeln!(ERROR_LOG_WRITER.lock().unwrap(), "[ERROR] {}", contents)
} else {
writeln!(w, "[ERROR] {}", contents)
} }
writeln!(w, "[ERROR] {}", contents)
} }
// WARNメッセージを表示する関数 // WARNメッセージを表示する関数
@@ -243,20 +251,20 @@ impl AlertMessage {
pub fn output_error_log_exist() { pub fn output_error_log_exist() {
let error_log_path_str = ERROR_LOG_PATH.to_string(); let error_log_path_str = ERROR_LOG_PATH.to_string();
if ALERT_COUNT_IN_ERROR_LOG.lock().unwrap().count == 0 { if ALERT_COUNT_IN_ERROR_LOG.lock().unwrap().count == 0 {
if remove_file(error_log_path_str).is_err() { if remove_file(&error_log_path_str).is_err() {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut std::io::stderr().lock(),
format!("failed to remove file. filepath:{}", error_log_path_str), format!("failed to remove file. filepath:{}", &error_log_path_str),
false, false,
) )
.ok(); .ok();
} }
return; return;
} }
println!(format!( println!(
"Generated error was output to {}. Please see the file for details", "Generated error was output to {}. Please see the file for details",
error_log_path_str &error_log_path_str
)); );
} }
} }

11
src/detections/rule/count.rs
View File

@@ -1,4 +1,5 @@
use crate::detections::print::AlertMessage; use crate::detections::print::AlertMessage;
use crate::detections::print::ERROR_LOG_PATH;
use crate::detections::rule::AggResult; use crate::detections::rule::AggResult;
use crate::detections::rule::AggregationParseInfo; use crate::detections::rule::AggregationParseInfo;
use crate::detections::rule::Message; use crate::detections::rule::Message;
@@ -6,6 +7,8 @@ use crate::detections::rule::RuleNode;
use chrono::{DateTime, TimeZone, Utc}; use chrono::{DateTime, TimeZone, Utc};
use serde_json::Value; use serde_json::Value;
use std::collections::HashMap; use std::collections::HashMap;
use std::fs::File;
use std::io::BufWriter;
use std::num::ParseIntError; use std::num::ParseIntError;
use crate::detections::rule::aggregation_parser::AggregationConditionToken; use crate::detections::rule::aggregation_parser::AggregationConditionToken;
@@ -57,7 +60,7 @@ pub fn create_count_key(rule: &RuleNode, record: &Value) -> String {
} }
None => { None => {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("field_value alias not found.value:{}", field_value), format!("field_value alias not found.value:{}", field_value),
true, true,
) )
@@ -74,7 +77,7 @@ pub fn create_count_key(rule: &RuleNode, record: &Value) -> String {
} }
None => { None => {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("by_field_value alias not found.value:{}", by_field_value), format!("by_field_value alias not found.value:{}", by_field_value),
true, true,
) )
@@ -157,7 +160,7 @@ impl TimeFrameInfo {
tnum.retain(|c| c != 'd'); tnum.retain(|c| c != 'd');
} else { } else {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("Timeframe is invalid. Input value:{}", value), format!("Timeframe is invalid. Input value:{}", value),
true, true,
) )
@@ -190,7 +193,7 @@ pub fn get_sec_timeframe(timeframe: &Option<TimeFrameInfo>) -> Option<i64> {
} }
Err(err) => { Err(err) => {
AlertMessage::alert( AlertMessage::alert(
&mut std::io::stderr().lock(), &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
format!("Timeframe number is invalid. timeframe.{}", err), format!("Timeframe number is invalid. timeframe.{}", err),
true, true,
) )

21
src/main.rs
View File

@@ -6,6 +6,7 @@ use chrono::{DateTime, Local};
use evtx::{EvtxParser, ParserSettings}; use evtx::{EvtxParser, ParserSettings};
use hayabusa::detections::detection::{self, EvtxRecordInfo}; use hayabusa::detections::detection::{self, EvtxRecordInfo};
use hayabusa::detections::print::AlertMessage; use hayabusa::detections::print::AlertMessage;
use hayabusa::detections::print::ERROR_LOG_PATH;
use hayabusa::detections::rule::{get_detection_keys, RuleNode}; use hayabusa::detections::rule::{get_detection_keys, RuleNode};
use hayabusa::filter; use hayabusa::filter;
use hayabusa::omikuji::Omikuji; use hayabusa::omikuji::Omikuji;
@@ -16,6 +17,7 @@ use pbr::ProgressBar;
use serde_json::Value; use serde_json::Value;
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::fmt::Display; use std::fmt::Display;
use std::io::BufWriter;
use std::sync::Arc; use std::sync::Arc;
use std::{ use std::{
fs::{self, File}, fs::{self, File},
@@ -66,6 +68,7 @@ impl App {
); );
return; return;
} }
AlertMessage::create_error_log(ERROR_LOG_PATH.to_string());
if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") { if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") {
if !filepath.ends_with(".evtx") { if !filepath.ends_with(".evtx") {
AlertMessage::alert( AlertMessage::alert(
@@ -107,9 +110,12 @@ impl App {
fn collect_evtxfiles(&self, dirpath: &str) -> Vec<PathBuf> { fn collect_evtxfiles(&self, dirpath: &str) -> Vec<PathBuf> {
let entries = fs::read_dir(dirpath); let entries = fs::read_dir(dirpath);
if entries.is_err() { if entries.is_err() {
let stderr = std::io::stderr(); AlertMessage::alert(
let mut stderr = stderr.lock(); &mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
AlertMessage::alert(&mut stderr, format!("{}", entries.unwrap_err()), true).ok(); format!("{}", entries.unwrap_err()),
true,
)
.ok();
return vec![]; return vec![];
} }
@@ -141,7 +147,7 @@ impl App {
match fs::read_to_string("./contributors.txt") { match fs::read_to_string("./contributors.txt") {
Ok(contents) => println!("{}", contents), Ok(contents) => println!("{}", contents),
Err(err) => { Err(err) => {
AlertMessage::alert(&mut std::io::stderr().lock(), format!("{}", err), true).ok(); AlertMessage::alert(&mut std::io::stderr().lock(), format!("{}", err), false).ok();
} }
} }
} }
@@ -209,7 +215,12 @@ impl App {
evtx_filepath, evtx_filepath,
record_result.unwrap_err() record_result.unwrap_err()
); );
AlertMessage::alert(&mut std::io::stderr().lock(), errmsg, true).ok(); AlertMessage::alert(
&mut BufWriter::new(File::open(ERROR_LOG_PATH.to_string()).unwrap()),
errmsg,
true,
)
.ok();
continue; continue;
} }