From 68329a0748c867d5d5b15171529099f0580614b8 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 01:08:40 +0900 Subject: [PATCH 01/17] added specified field data from multi data in details #487 --- src/detections/print.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/detections/print.rs b/src/detections/print.rs index 5d5d6b43..eb7eaf46 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -42,7 +42,8 @@ pub struct AlertMessage {} lazy_static! { pub static ref MESSAGES: Mutex = Mutex::new(Message::new()); - pub static ref ALIASREGEX: Regex = Regex::new(r"%[a-zA-Z0-9-_]+%").unwrap(); + pub static ref ALIASREGEX: Regex = Regex::new(r"%[a-zA-Z0-9-_\[\]]+%").unwrap(); + pub static ref SUFFIXREGEX: Regex = Regex::new(r"\[([0-9]+)\]").unwrap(); pub static ref ERROR_LOG_PATH: String = format!( "./logs/errorlog-{}.log", Local::now().format("%Y%m%d_%H%M%S") @@ -171,6 +172,14 @@ impl Message { tmp_event_record = record; } } + let suffix_match = SUFFIXREGEX.captures(&target_str); + let suffix:i64 = match suffix_match{ + Some(cap) => cap.get(1).map_or(-1, |a| a.as_str().parse().unwrap_or(-1)), + None => -1 + }; + if suffix >= 0 { + tmp_event_record = tmp_event_record.get("Data").unwrap().get(suffix as usize).unwrap_or(tmp_event_record); + } let hash_value = get_serde_number_to_string(tmp_event_record); if hash_value.is_some() { if let Some(hash_value) = hash_value { From c3587bef9a2e40a3f41451b0e0f35493045c8d93 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 01:09:57 +0900 Subject: [PATCH 02/17] added test #487 --- src/detections/print.rs | 99 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/src/detections/print.rs b/src/detections/print.rs index eb7eaf46..b3117093 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -550,6 +550,105 @@ mod tests { ); } #[test] + /// output test when no exist info in target record output and described key-value data in eventkey_alias.txt + fn test_parse_message_multiple_no_suffix_in_record() { + let mut message = Message::new(); + let json_str = r##" + { + "Event": { + "EventData": { + "CommandLine": "parsetest3", + "Data": [ + "data1", + "data2", + "data3" + ] + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + let expected = "commandline:parsetest3 data:[\"data1\",\"data2\",\"data3\"]"; + assert_eq!( + message.parse_message( + &event_record, + "commandline:%CommandLine% data:%Data%".to_owned() + ), + expected, + ); + } + #[test] + /// output test when no exist info in target record output and described key-value data in eventkey_alias.txt + fn test_parse_message_multiple_with_suffix_in_record() { + let mut message = Message::new(); + let json_str = r##" + { + "Event": { + "EventData": { + "CommandLine": "parsetest3", + "Data": [ + "data1", + "data2", + "data3" + ] + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + let expected = "commandline:parsetest3 data:data2"; + assert_eq!( + message.parse_message( + &event_record, + "commandline:%CommandLine% data:%Data[1]%".to_owned() + ), + expected, + ); + } + #[test] + /// output test when no exist info in target record output and described key-value data in eventkey_alias.txt + fn test_parse_message_multiple_no_exist_in_record() { + let mut message = Message::new(); + let json_str = r##" + { + "Event": { + "EventData": { + "CommandLine": "parsetest3", + "Data": [ + "data1", + "data2", + "data3" + ] + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + let expected = "commandline:parsetest3 data:n/a"; + assert_eq!( + message.parse_message( + &event_record, + "commandline:%CommandLine% data:%Data[-1]%".to_owned() + ), + expected, + ); + } + #[test] /// test of loading output filter config by output_tag.txt fn test_load_output_tag() { let actual = From 7332a774be92b150971bc599e257e75b5316e7e4 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 01:11:20 +0900 Subject: [PATCH 03/17] cargo fmt --- src/detections/print.rs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/detections/print.rs b/src/detections/print.rs index b3117093..9f5dc78e 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -173,12 +173,16 @@ impl Message { } } let suffix_match = SUFFIXREGEX.captures(&target_str); - let suffix:i64 = match suffix_match{ + let suffix: i64 = match suffix_match { Some(cap) => cap.get(1).map_or(-1, |a| a.as_str().parse().unwrap_or(-1)), - None => -1 + None => -1, }; if suffix >= 0 { - tmp_event_record = tmp_event_record.get("Data").unwrap().get(suffix as usize).unwrap_or(tmp_event_record); + tmp_event_record = tmp_event_record + .get("Data") + .unwrap() + .get(suffix as usize) + .unwrap_or(tmp_event_record); } let hash_value = get_serde_number_to_string(tmp_event_record); if hash_value.is_some() { From 4f0bd67ca9441f176da722f6392a1fe044e9ee38 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 01:16:27 +0900 Subject: [PATCH 04/17] changed treat of suffix in data #487 --- src/detections/print.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/detections/print.rs b/src/detections/print.rs index 9f5dc78e..5680ab63 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -177,11 +177,11 @@ impl Message { Some(cap) => cap.get(1).map_or(-1, |a| a.as_str().parse().unwrap_or(-1)), None => -1, }; - if suffix >= 0 { + if suffix >= 1 { tmp_event_record = tmp_event_record .get("Data") .unwrap() - .get(suffix as usize) + .get((suffix - 1) as usize) .unwrap_or(tmp_event_record); } let hash_value = get_serde_number_to_string(tmp_event_record); @@ -614,7 +614,7 @@ mod tests { assert_eq!( message.parse_message( &event_record, - "commandline:%CommandLine% data:%Data[1]%".to_owned() + "commandline:%CommandLine% data:%Data[2]%".to_owned() ), expected, ); @@ -647,7 +647,7 @@ mod tests { assert_eq!( message.parse_message( &event_record, - "commandline:%CommandLine% data:%Data[-1]%".to_owned() + "commandline:%CommandLine% data:%Data[0]%".to_owned() ), expected, ); From d716ffb13e3e35378ef34ab0cd25ad0ebdce6f51 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 01:53:53 +0900 Subject: [PATCH 05/17] fixed output bug when not set option column #577 --- src/afterfact.rs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 32c40b35..e677ac76 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -414,7 +414,15 @@ enum ColPos { fn _get_serialized_disp_output(dispformat: Option) -> String { if dispformat.is_none() { - return "Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details|RecordID|RecordInformation\n".to_string(); + let mut titles = vec!["Timestamp","Computer","Channel","EventID","Level","RuleTitle","Details"]; + let arg_match = &configs::CONFIG.read().unwrap().args; + if arg_match.is_present("display-record-id") { + titles.push("RecordID"); + } + if arg_match.is_present("full-data") { + titles.push("RecordInformation"); + } + return format!("{}\n", titles.join("|")); } let mut disp_serializer = csv::WriterBuilder::new() .double_quote(false) From 7e013c8f70a31637759156c4b928353b6cb1c264 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:09:24 +0900 Subject: [PATCH 06/17] updated readme #487 --- README-Japanese.md | 9 +++++++++ README.md | 12 +++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/README-Japanese.md b/README-Japanese.md index 6395da26..eab919b5 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -497,6 +497,15 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) * `Level`: YML検知ルールの`level`フィールドから来ています。(例:`informational`, `low`, `medium`, `high`, `critical`) デフォルトでは、すべてのレベルのアラートとイベントが出力されますが、`-m`オプションで最低のレベルを指定することができます。例えば`-m high`オプションを付けると、`high`と`critical`アラートしか出力されません。 * `Title`: YML検知ルールの`title`フィールドから来ています。 * `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの``部分から有用なデータを抽出することができます。イベントキーのマッピングが間違っている場合、もしくはフィールドが存在しない場合で抽出ができなかった箇所は`n/a` (not available)と記載されます。 +以下のようなレコード情報であるときに複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`a`を出力したい場合`%Data[1]%`をdetailsに記載してください) + +```xml + + ....exe + a + b + +``` CSVファイルとして保存する場合、以下の列が追加されます: diff --git a/README.md b/README.md index 1cae6011..64248bfd 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,17 @@ When hayabusa output is being displayed to the screen (the default), it will dis * `Event ID`: This comes from the `` field in the event log. * `Level`: This comes from the `level` field in the YML detection rule. (`informational`, `low`, `medium`, `high`, `critical`) By default, all level alerts will be displayed but you can set the minimum level with `-m`. For example, you can set `-m high`) in order to only scan for and display high and critical alerts. * `Title`: This comes from the `title` field in the YML detection rule. -* `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). +* `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). You can specify field data from multi data in details specified. (ex. `%Data[1]%`) + +Note: If you want to output `a` in following eventdata, you would specify `%Data[1]%` in details. + +```xml + + ....exe + a + b + +``` The following additional columns will be added to the output when saving to a CSV file: From 925e386fb27fb9e50ee79409844bd81e3460b0eb Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:14:04 +0900 Subject: [PATCH 07/17] added template in v1.3.1 changeme --- CHANGELOG-Japanese.md | 8 ++++++++ CHANGELOG.md | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 88617cce..83261747 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -2,10 +2,18 @@ ## v1.3.1 [2022/xx/xx] +**新機能:** + +- xxx + **改善:** - LinuxとmacOSのバイナリサイズをより小さくするために、デバッグシンボルをストリップします。(#568) (@YamatoSecurity) +**バグ修正:** + +- xxx + ## v1.3.0 [2022/06/06] **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 82736a6e..c52f66a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,18 @@ ## v1.3.1 [2022/xx/xx] +**New Features:** + +- xxx + **Enhancements:** - Strip debug symbols by default for smaller Linux and macOS binaries. (#568) (@YamatoSecurity) +**Bug Fixes:** + +- xxx + ## v1.3.0 [2022/06/06] **New Features:** From b0f1c6abd14483f9415fe1fe48a718ba1b9eddff Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:14:39 +0900 Subject: [PATCH 08/17] addded `--visualize-timeline` alias in readme jp --- README-Japanese.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README-Japanese.md b/README-Japanese.md index eab919b5..f050c8cf 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -585,8 +585,8 @@ Hayabusaの結果は`level`毎に文字色が変わります。 ## イベント頻度タイムライン -`--visualize-timeline`オプションを使うことで、検知したイベントの数が5以上の時、頻度のタイムライン(スパークライン)を画面に出力します。 -マーカーの数は最大10個です。デフォルトのCommand PromptとPowerShell Promptでは文字化けされるので、Windows TerminalやiTerm2等のターミナルをご利用ください。 +`-V`または`--visualize-timeline`オプションを使うことで、検知したイベントの数が5以上の時、頻度のタイムライン(スパークライン)を画面に出力します。 +マーカーの数は最大10個です。デフォルトのCommand PromptとPowerShell Promptでは文字化けがでるので、Windows TerminalやiTerm2等のターミナルをご利用ください。 ## 最多検知日の出力 From bf4f80a8b48e21de34d1f685f58623cbaff534c1 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:20:14 +0900 Subject: [PATCH 09/17] update changelog #487 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 83261747..40fe724b 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -4,7 +4,7 @@ **新機能:** -- xxx +- ルール内の`details`で複数の`Data`レコードから特定のデータを指定して出力できるようにした。 (#487) (@hitenkoku) **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index c52f66a1..b16d0a1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **New Features:** -- xxx +- Specified field data from multi data in `details` of rules. (#487) (@hitenkoku) **Enhancements:** From 8aa47426c9d711be05f0ac0528bfd8b5d580c665 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:22:22 +0900 Subject: [PATCH 10/17] described new feature it for `Data` record #487 --- README-Japanese.md | 2 +- README.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README-Japanese.md b/README-Japanese.md index f050c8cf..a1858351 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -497,7 +497,7 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) * `Level`: YML検知ルールの`level`フィールドから来ています。(例:`informational`, `low`, `medium`, `high`, `critical`) デフォルトでは、すべてのレベルのアラートとイベントが出力されますが、`-m`オプションで最低のレベルを指定することができます。例えば`-m high`オプションを付けると、`high`と`critical`アラートしか出力されません。 * `Title`: YML検知ルールの`title`フィールドから来ています。 * `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの``部分から有用なデータを抽出することができます。イベントキーのマッピングが間違っている場合、もしくはフィールドが存在しない場合で抽出ができなかった箇所は`n/a` (not available)と記載されます。 -以下のようなレコード情報であるときに複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`a`を出力したい場合`%Data[1]%`をdetailsに記載してください) +以下のように`Data`レコードが複数存在するときに、複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`a`を出力したい場合`%Data[1]%`をdetailsに記載してください) ```xml diff --git a/README.md b/README.md index 64248bfd..2d807f06 100644 --- a/README.md +++ b/README.md @@ -495,8 +495,9 @@ When hayabusa output is being displayed to the screen (the default), it will dis * `Event ID`: This comes from the `` field in the event log. * `Level`: This comes from the `level` field in the YML detection rule. (`informational`, `low`, `medium`, `high`, `critical`) By default, all level alerts will be displayed but you can set the minimum level with `-m`. For example, you can set `-m high`) in order to only scan for and display high and critical alerts. * `Title`: This comes from the `title` field in the YML detection rule. -* `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). You can specify field data from multi data in details specified. (ex. `%Data[1]%`) +* `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). +You can specify field data from multi `Data` record in details specified. (ex. `%Data[1]%`) Note: If you want to output `a` in following eventdata, you would specify `%Data[1]%` in details. ```xml From 00198d432351fa5ce7549ae9af9bce0e665bc565 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:23:40 +0900 Subject: [PATCH 11/17] updated changelog #487 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b16d0a1e..744b88af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **New Features:** -- Specified field data from multi data in `details` of rules. (#487) (@hitenkoku) +- Specified field data from multi `Data` record in `details` of rules. (#487) (@hitenkoku) **Enhancements:** From 513378dc7650d627dd175c7d057981eff435f86b Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:26:05 +0900 Subject: [PATCH 12/17] updated changelog #577 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 40fe724b..1df746a5 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -12,7 +12,7 @@ **バグ修正:** -- xxx +- 対応するオプションを付与していないときにもRecordIDとRecordInformationの列が出力されていたのを修正した。 (#577) (@hitenkoku) ## v1.3.0 [2022/06/06] diff --git a/CHANGELOG.md b/CHANGELOG.md index 744b88af..9ef433ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ **Bug Fixes:** -- xxx +- fixed bug that RecordID and RecordInformation column is showed when options is not enabled. (#577) (@hitenkoku) ## v1.3.0 [2022/06/06] From 20c4aee9417f21e4ef5a7253fc17636e283a0cf1 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 02:37:32 +0900 Subject: [PATCH 13/17] fixed document #487 --- README-Japanese.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-Japanese.md b/README-Japanese.md index a1858351..d120d2c6 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -497,7 +497,7 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) * `Level`: YML検知ルールの`level`フィールドから来ています。(例:`informational`, `low`, `medium`, `high`, `critical`) デフォルトでは、すべてのレベルのアラートとイベントが出力されますが、`-m`オプションで最低のレベルを指定することができます。例えば`-m high`オプションを付けると、`high`と`critical`アラートしか出力されません。 * `Title`: YML検知ルールの`title`フィールドから来ています。 * `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの``部分から有用なデータを抽出することができます。イベントキーのマッピングが間違っている場合、もしくはフィールドが存在しない場合で抽出ができなかった箇所は`n/a` (not available)と記載されます。 -以下のように`Data`レコードが複数存在するときに、複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`a`を出力したい場合`%Data[1]%`をdetailsに記載してください) +以下のように`Data`レコードが複数存在するときに、複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`....exe`を出力したい場合`%Data[1]%`をdetailsに記載してください) ```xml diff --git a/README.md b/README.md index 2d807f06..62163cdb 100644 --- a/README.md +++ b/README.md @@ -498,7 +498,7 @@ When hayabusa output is being displayed to the screen (the default), it will dis * `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). You can specify field data from multi `Data` record in details specified. (ex. `%Data[1]%`) -Note: If you want to output `a` in following eventdata, you would specify `%Data[1]%` in details. +Note: If you want to output `....exe` in following eventdata, you would specify `%Data[1]%` in details. ```xml From fede3afd3b99d3cb47db6df11c6f130405d6e73b Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 09:01:24 +0900 Subject: [PATCH 14/17] cargo fmt --- src/afterfact.rs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index e677ac76..f8ba7206 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -414,7 +414,15 @@ enum ColPos { fn _get_serialized_disp_output(dispformat: Option) -> String { if dispformat.is_none() { - let mut titles = vec!["Timestamp","Computer","Channel","EventID","Level","RuleTitle","Details"]; + let mut titles = vec![ + "Timestamp", + "Computer", + "Channel", + "EventID", + "Level", + "RuleTitle", + "Details", + ]; let arg_match = &configs::CONFIG.read().unwrap().args; if arg_match.is_present("display-record-id") { titles.push("RecordID"); From dce84b41854cf5a2fe97393525855aca0b0a36d4 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 9 Jun 2022 10:04:59 +0900 Subject: [PATCH 15/17] changelog readme update --- CHANGELOG.md | 2 +- Cargo.lock | 56 ++++++++++++++++++++++++++++++++++++++++++++-- README-Japanese.md | 9 -------- README.md | 11 --------- 4 files changed, 55 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ef433ee..cce74669 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **New Features:** -- Specified field data from multi `Data` record in `details` of rules. (#487) (@hitenkoku) +- You can now specify specific fields when there are multiple fields with the same name (Ex: `Data`). In the `details` line in a rule, specify a placeholder like `%Data[1]%` to display the first `Data` field. (#487) (@hitenkoku) **Enhancements:** diff --git a/Cargo.lock b/Cargo.lock index 42cf7f6b..a37bde5c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -568,6 +568,21 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.0.1" @@ -699,6 +714,7 @@ dependencies = [ "linked-hash-map", "lock_api", "num_cpus", + "openssl", "pbr", "prettytable-rs", "quick-xml 0.23.0", @@ -1103,12 +1119,47 @@ version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7709cef83f0c1f58f666e746a08b21e0085f7440fa6a29cc194d68aac97a4225" +[[package]] +name = "openssl" +version = "0.10.40" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb81a6430ac911acb25fe5ac8f1d2af1b4ea8a4fdfda0f1ee4292af2e2d8eb0e" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "openssl-probe" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +[[package]] +name = "openssl-src" +version = "111.20.0+1.1.1o" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92892c4f87d56e376e469ace79f1128fdaded07646ddf73aa0be4706ff712dec" +dependencies = [ + "cc", +] + [[package]] name = "openssl-sys" version = "0.9.74" @@ -1118,6 +1169,7 @@ dependencies = [ "autocfg", "cc", "libc", + "openssl-src", "pkg-config", "vcpkg", ] @@ -1801,9 +1853,9 @@ checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6" [[package]] name = "tracing" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d0ecdcb44a79f0fe9844f0c4f33a342cbcbb5117de8001e6ba0dc2351327d09" +checksum = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160" dependencies = [ "cfg-if", "pin-project-lite", diff --git a/README-Japanese.md b/README-Japanese.md index d120d2c6..545ba66e 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -497,15 +497,6 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) * `Level`: YML検知ルールの`level`フィールドから来ています。(例:`informational`, `low`, `medium`, `high`, `critical`) デフォルトでは、すべてのレベルのアラートとイベントが出力されますが、`-m`オプションで最低のレベルを指定することができます。例えば`-m high`オプションを付けると、`high`と`critical`アラートしか出力されません。 * `Title`: YML検知ルールの`title`フィールドから来ています。 * `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの``部分から有用なデータを抽出することができます。イベントキーのマッピングが間違っている場合、もしくはフィールドが存在しない場合で抽出ができなかった箇所は`n/a` (not available)と記載されます。 -以下のように`Data`レコードが複数存在するときに、複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`....exe`を出力したい場合`%Data[1]%`をdetailsに記載してください) - -```xml - - ....exe - a - b - -``` CSVファイルとして保存する場合、以下の列が追加されます: diff --git a/README.md b/README.md index 62163cdb..1cae6011 100644 --- a/README.md +++ b/README.md @@ -497,17 +497,6 @@ When hayabusa output is being displayed to the screen (the default), it will dis * `Title`: This comes from the `title` field in the YML detection rule. * `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). -You can specify field data from multi `Data` record in details specified. (ex. `%Data[1]%`) -Note: If you want to output `....exe` in following eventdata, you would specify `%Data[1]%` in details. - -```xml - - ....exe - a - b - -``` - The following additional columns will be added to the output when saving to a CSV file: * `MitreAttack`: MITRE ATT&CK tactics. From dbee018af1e64e0c5e819b40c69fb54582278b24 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 9 Jun 2022 19:51:16 +0900 Subject: [PATCH 16/17] fixed test --- src/afterfact.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index f8ba7206..86c5317b 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -750,8 +750,7 @@ mod tests { let test_timestamp = Utc .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") .unwrap(); - let expect_header = - "Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details|RecordID|RecordInformation\n"; + let expect_header = "Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details\n"; let expect_tz = test_timestamp.with_timezone(&Local); let expect_no_header = expect_tz From cfbc185f38ef55af58749fb1b0f4ee6779f8c270 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 10 Jun 2022 09:22:34 +0900 Subject: [PATCH 17/17] change tool chain to stable --- .github/workflows/rust.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 54f14bea..f4eb0331 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -19,7 +19,7 @@ jobs: submodules: recursive - uses: actions-rs/toolchain@v1 with: - toolchain: nightly + toolchain: stable profile: minimal components: rustfmt override: true