From 9c8ca18b5fffd8673b45db9369b2e3c3592d314d Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Tue, 29 Sep 2020 20:07:45 +0900 Subject: [PATCH] =?UTF-8?q?match=E3=82=92=E4=BD=BF=E3=82=8F=E3=81=AA?= =?UTF-8?q?=E3=81=84=E5=BD=A2=E3=81=AB=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/detections/detection.rs | 1 - src/detections/security.rs | 81 +++++++++++++++++-------------------- src/main.rs | 7 ++-- src/models/event.rs | 28 +++++-------- 4 files changed, 51 insertions(+), 66 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 81431af3..31c64011 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -8,7 +8,6 @@ use crate::models::event; use evtx::EvtxParser; use quick_xml::de::DeError; use std::collections::BTreeMap; -use std::collections::HashMap; #[derive(Debug)] pub struct Detection { diff --git a/src/detections/security.rs b/src/detections/security.rs index f43d347a..82e23f71 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -42,56 +42,51 @@ impl Security { // Special privileges assigned to new logon (possible admin access) // fn se_debug_privilege(&mut self, event_data: HashMap) { - match event_data.get("PrivilegeList") { - Some(privileage_list) => { - match privileage_list.find("SeDebugPrivilege") { - Some(_data) => { - // alert_all_adminが有効であれば、標準出力して知らせる - // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。 - if self.alert_all_admin == 1 { - println!("Logon with SeDebugPrivilege (admin access)"); - println!("Username:{}", event_data["SubjectUserName"]); - println!("Domain:{}", event_data["SubjectDomainName"]); - println!("User SID:{}", event_data["SubjectUserSid"]); - println!("Domain:{}", event_data["PrivilegeList"]); - } - self.total_admin_logons += 1; + if let Some(privileage_list) = event_data.get("PrivilegeList") { + if let Some(_data) = privileage_list.find("SeDebugPrivilege") { + // alert_all_adminが有効であれば、標準出力して知らせる + // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。 + if self.alert_all_admin == 1 { + println!("Logon with SeDebugPrivilege (admin access)"); + println!("Username:{}", event_data["SubjectUserName"]); + println!("Domain:{}", event_data["SubjectDomainName"]); + println!("User SID:{}", event_data["SubjectUserSid"]); + println!("Domain:{}", event_data["PrivilegeList"]); + } - // admin_logons配列にusernameが含まれているか確認 - match self.admin_logons.get(&event_data["SubjectUserName"]) { - Some(sid) => { - // 含まれていれば、マルチユーザが管理者としてログインしているか確認 - // マルチログオンのデータをセット - if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { - // One username with multiple admin logon SIDs - self.multiple_admin_logons - .insert(event_data["SubjectUserName"].to_string(), 1); + self.total_admin_logons += 1; - let mut count_hash: HashMap = HashMap::new(); - count_hash.insert( - event_data["SubjectUserSid"].to_string(), - sid[&event_data["SubjectUserSid"]] + 1, - ); - self.admin_logons.insert( - event_data["SubjectUserName"].to_string(), - count_hash, - ); - } - } - None => { - // admin_logons配列にセットUserNameとSIDとカウンタをセット - let mut count_hash: HashMap = HashMap::new(); - count_hash.insert(event_data["SubjectUserSid"].to_string(), 1); - self.admin_logons - .insert(event_data["SubjectUserName"].to_string(), count_hash); - } + // admin_logons配列にusernameが含まれているか確認 + match self.admin_logons.get(&event_data["SubjectUserName"]) { + Some(sid) => { + // 含まれていれば、マルチユーザが管理者としてログインしているか確認 + // マルチログオンのデータをセット + if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { + // One username with multiple admin logon SIDs + self.multiple_admin_logons + .insert(event_data["SubjectUserName"].to_string(), 1); + + let mut count_hash: HashMap = HashMap::new(); + count_hash.insert( + event_data["SubjectUserSid"].to_string(), + sid[&event_data["SubjectUserSid"]] + 1, + ); + self.admin_logons.insert( + event_data["SubjectUserName"].to_string(), + count_hash, + ); } } - None => (), + None => { + // admin_logons配列にセットUserNameとSIDとカウンタをセット + let mut count_hash: HashMap = HashMap::new(); + count_hash.insert(event_data["SubjectUserSid"].to_string(), 1); + self.admin_logons + .insert(event_data["SubjectUserName"].to_string(), count_hash); + } } } - None => (), } } } diff --git a/src/main.rs b/src/main.rs index 0777aad0..e099bf0a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -4,7 +4,7 @@ extern crate serde; use clap::{App, AppSettings, Arg}; use evtx::EvtxParser; use quick_xml::de::DeError; -use std::{env, path::PathBuf, process}; +use std::{path::PathBuf, process}; use yamato_event_analyzer::detections::detection; fn build_app() -> clap::App<'static, 'static> { @@ -38,9 +38,8 @@ fn main() -> Result<(), DeError> { let args = build_app().get_matches(); let filepath: Option<&str> = args.value_of("filepath"); - match filepath { - Some(filepath) => parse_file(filepath), - None => (), + if let Some(filepath) = filepath { + parse_file(filepath); } Ok(()) diff --git a/src/models/event.rs b/src/models/event.rs index 2a06e6bd..113157b6 100644 --- a/src/models/event.rs +++ b/src/models/event.rs @@ -85,12 +85,11 @@ impl Evtx { // 文字列データを取得する // fn get_string(v: &Data) -> String { - match &v.text { - Some(text) => { - return text.to_string(); - } - _ => return "".to_string(), + let mut ret = "".to_string(); + if let Some(text) = &v.text { + ret = text.to_string(); } + return ret; } // @@ -99,21 +98,14 @@ impl Evtx { pub fn parse_event_data(&self) -> HashMap { let mut values = HashMap::new(); - match &self.event_data { - Some(event_data) => match &event_data.data { - Some(data) => { - for v in data.iter() { - match &v.name { - Some(name) => { - values.insert(name.to_string(), Evtx::get_string(v)); - } - None => (), - } + if let Some(event_data) = &self.event_data { + if let Some(data) = &event_data.data { + for v in data.iter() { + if let Some(name) = &v.name { + values.insert(name.to_string(), Evtx::get_string(v)); } } - None => (), - }, - None => (), + } } values