Merge branch 'main' into 574-add-more-timestamp-format-options
This commit is contained in:
DustInDark
GitHub
@@ -19,7 +19,7 @@ jobs:
|
||||
submodules: recursive
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: nightly
|
||||
toolchain: stable
|
||||
profile: minimal
|
||||
components: rustfmt
|
||||
override: true
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
**新機能:**
|
||||
|
||||
- xxx
|
||||
- ルール内の`details`で複数の`Data`レコードから特定のデータを指定して出力できるようにした。 (#487) (@hitenkoku)
|
||||
|
||||
**改善:**
|
||||
|
||||
@@ -16,6 +16,10 @@
|
||||
|
||||
- xxx
|
||||
|
||||
**バグ修正:**
|
||||
|
||||
- 対応するオプションを付与していないときにもRecordIDとRecordInformationの列が出力されていたのを修正した。 (#577) (@hitenkoku)
|
||||
|
||||
## v1.3.0 [2022/06/06]
|
||||
|
||||
**新機能:**
|
||||
|
||||
+5
-1
@@ -4,7 +4,7 @@
|
||||
|
||||
**New Features:**
|
||||
|
||||
- xxx
|
||||
- You can now specify specific fields when there are multiple fields with the same name (Ex: `Data`). In the `details` line in a rule, specify a placeholder like `%Data[1]%` to display the first `Data` field. (#487) (@hitenkoku)
|
||||
|
||||
**Enhancements:**
|
||||
|
||||
@@ -16,6 +16,10 @@
|
||||
|
||||
- xxx
|
||||
|
||||
**Bug Fixes:**
|
||||
|
||||
- fixed bug that RecordID and RecordInformation column is showed when options is not enabled. (#577) (@hitenkoku)
|
||||
|
||||
## v1.3.0 [2022/06/06]
|
||||
|
||||
**New Features:**
|
||||
|
||||
Generated
+2
-2
@@ -1853,9 +1853,9 @@ checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6"
|
||||
|
||||
[[package]]
|
||||
name = "tracing"
|
||||
version = "0.1.34"
|
||||
version = "0.1.35"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5d0ecdcb44a79f0fe9844f0c4f33a342cbcbb5117de8001e6ba0dc2351327d09"
|
||||
checksum = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"pin-project-lite",
|
||||
|
||||
+2
-2
@@ -579,8 +579,8 @@ Hayabusaの結果は`level`毎に文字色が変わります。
|
||||
|
||||
## イベント頻度タイムライン
|
||||
|
||||
`--visualize-timeline`オプションを使うことで、検知したイベントの数が5以上の時、頻度のタイムライン(スパークライン)を画面に出力します。
|
||||
マーカーの数は最大10個です。デフォルトのCommand PromptとPowerShell Promptでは文字化けされるので、Windows TerminalやiTerm2等のターミナルをご利用ください。
|
||||
`-V`または`--visualize-timeline`オプションを使うことで、検知したイベントの数が5以上の時、頻度のタイムライン(スパークライン)を画面に出力します。
|
||||
マーカーの数は最大10個です。デフォルトのCommand PromptとPowerShell Promptでは文字化けがでるので、Windows TerminalやiTerm2等のターミナルをご利用ください。
|
||||
|
||||
## 最多検知日の出力
|
||||
|
||||
|
||||
+18
-3
@@ -414,7 +414,23 @@ enum ColPos {
|
||||
|
||||
fn _get_serialized_disp_output(dispformat: Option<DisplayFormat>) -> String {
|
||||
if dispformat.is_none() {
|
||||
return "Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details|RecordID|RecordInformation\n".to_string();
|
||||
let mut titles = vec![
|
||||
"Timestamp",
|
||||
"Computer",
|
||||
"Channel",
|
||||
"EventID",
|
||||
"Level",
|
||||
"RuleTitle",
|
||||
"Details",
|
||||
];
|
||||
let arg_match = &configs::CONFIG.read().unwrap().args;
|
||||
if arg_match.is_present("display-record-id") {
|
||||
titles.push("RecordID");
|
||||
}
|
||||
if arg_match.is_present("full-data") {
|
||||
titles.push("RecordInformation");
|
||||
}
|
||||
return format!("{}\n", titles.join("|"));
|
||||
}
|
||||
let mut disp_serializer = csv::WriterBuilder::new()
|
||||
.double_quote(false)
|
||||
@@ -741,8 +757,7 @@ mod tests {
|
||||
let test_timestamp = Utc
|
||||
.datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ")
|
||||
.unwrap();
|
||||
let expect_header =
|
||||
"Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details|RecordID|RecordInformation\n";
|
||||
let expect_header = "Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details\n";
|
||||
let expect_tz = test_timestamp.with_timezone(&Local);
|
||||
|
||||
let expect_no_header = expect_tz
|
||||
|
||||
+113
-1
@@ -42,7 +42,8 @@ pub struct AlertMessage {}
|
||||
|
||||
lazy_static! {
|
||||
pub static ref MESSAGES: Mutex<Message> = Mutex::new(Message::new());
|
||||
pub static ref ALIASREGEX: Regex = Regex::new(r"%[a-zA-Z0-9-_]+%").unwrap();
|
||||
pub static ref ALIASREGEX: Regex = Regex::new(r"%[a-zA-Z0-9-_\[\]]+%").unwrap();
|
||||
pub static ref SUFFIXREGEX: Regex = Regex::new(r"\[([0-9]+)\]").unwrap();
|
||||
pub static ref ERROR_LOG_PATH: String = format!(
|
||||
"./logs/errorlog-{}.log",
|
||||
Local::now().format("%Y%m%d_%H%M%S")
|
||||
@@ -171,6 +172,18 @@ impl Message {
|
||||
tmp_event_record = record;
|
||||
}
|
||||
}
|
||||
let suffix_match = SUFFIXREGEX.captures(&target_str);
|
||||
let suffix: i64 = match suffix_match {
|
||||
Some(cap) => cap.get(1).map_or(-1, |a| a.as_str().parse().unwrap_or(-1)),
|
||||
None => -1,
|
||||
};
|
||||
if suffix >= 1 {
|
||||
tmp_event_record = tmp_event_record
|
||||
.get("Data")
|
||||
.unwrap()
|
||||
.get((suffix - 1) as usize)
|
||||
.unwrap_or(tmp_event_record);
|
||||
}
|
||||
let hash_value = get_serde_number_to_string(tmp_event_record);
|
||||
if hash_value.is_some() {
|
||||
if let Some(hash_value) = hash_value {
|
||||
@@ -541,6 +554,105 @@ mod tests {
|
||||
);
|
||||
}
|
||||
#[test]
|
||||
/// output test when no exist info in target record output and described key-value data in eventkey_alias.txt
|
||||
fn test_parse_message_multiple_no_suffix_in_record() {
|
||||
let mut message = Message::new();
|
||||
let json_str = r##"
|
||||
{
|
||||
"Event": {
|
||||
"EventData": {
|
||||
"CommandLine": "parsetest3",
|
||||
"Data": [
|
||||
"data1",
|
||||
"data2",
|
||||
"data3"
|
||||
]
|
||||
},
|
||||
"System": {
|
||||
"TimeCreated_attributes": {
|
||||
"SystemTime": "1996-02-27T01:05:01Z"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
"##;
|
||||
let event_record: Value = serde_json::from_str(json_str).unwrap();
|
||||
let expected = "commandline:parsetest3 data:[\"data1\",\"data2\",\"data3\"]";
|
||||
assert_eq!(
|
||||
message.parse_message(
|
||||
&event_record,
|
||||
"commandline:%CommandLine% data:%Data%".to_owned()
|
||||
),
|
||||
expected,
|
||||
);
|
||||
}
|
||||
#[test]
|
||||
/// output test when no exist info in target record output and described key-value data in eventkey_alias.txt
|
||||
fn test_parse_message_multiple_with_suffix_in_record() {
|
||||
let mut message = Message::new();
|
||||
let json_str = r##"
|
||||
{
|
||||
"Event": {
|
||||
"EventData": {
|
||||
"CommandLine": "parsetest3",
|
||||
"Data": [
|
||||
"data1",
|
||||
"data2",
|
||||
"data3"
|
||||
]
|
||||
},
|
||||
"System": {
|
||||
"TimeCreated_attributes": {
|
||||
"SystemTime": "1996-02-27T01:05:01Z"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
"##;
|
||||
let event_record: Value = serde_json::from_str(json_str).unwrap();
|
||||
let expected = "commandline:parsetest3 data:data2";
|
||||
assert_eq!(
|
||||
message.parse_message(
|
||||
&event_record,
|
||||
"commandline:%CommandLine% data:%Data[2]%".to_owned()
|
||||
),
|
||||
expected,
|
||||
);
|
||||
}
|
||||
#[test]
|
||||
/// output test when no exist info in target record output and described key-value data in eventkey_alias.txt
|
||||
fn test_parse_message_multiple_no_exist_in_record() {
|
||||
let mut message = Message::new();
|
||||
let json_str = r##"
|
||||
{
|
||||
"Event": {
|
||||
"EventData": {
|
||||
"CommandLine": "parsetest3",
|
||||
"Data": [
|
||||
"data1",
|
||||
"data2",
|
||||
"data3"
|
||||
]
|
||||
},
|
||||
"System": {
|
||||
"TimeCreated_attributes": {
|
||||
"SystemTime": "1996-02-27T01:05:01Z"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
"##;
|
||||
let event_record: Value = serde_json::from_str(json_str).unwrap();
|
||||
let expected = "commandline:parsetest3 data:n/a";
|
||||
assert_eq!(
|
||||
message.parse_message(
|
||||
&event_record,
|
||||
"commandline:%CommandLine% data:%Data[0]%".to_owned()
|
||||
),
|
||||
expected,
|
||||
);
|
||||
}
|
||||
#[test]
|
||||
/// test of loading output filter config by output_tag.txt
|
||||
fn test_load_output_tag() {
|
||||
let actual =
|
||||
|
||||
Reference in New Issue
Block a user