add default details #359
This commit is contained in:
DustInDark
@@ -6,7 +6,7 @@ use crate::detections::print::AlertMessage;
|
|||||||
use crate::detections::print::DetectInfo;
|
use crate::detections::print::DetectInfo;
|
||||||
use crate::detections::print::ERROR_LOG_STACK;
|
use crate::detections::print::ERROR_LOG_STACK;
|
||||||
use crate::detections::print::MESSAGES;
|
use crate::detections::print::MESSAGES;
|
||||||
use crate::detections::print::{CH_CONFIG, IS_HIDE_RECORD_ID, TAGS_CONFIG};
|
use crate::detections::print::{CH_CONFIG, IS_HIDE_RECORD_ID, TAGS_CONFIG, DEFAULT_DETAILS};
|
||||||
use crate::detections::print::{
|
use crate::detections::print::{
|
||||||
LOGONSUMMARY_FLAG, PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG, STATISTICS_FLAG,
|
LOGONSUMMARY_FLAG, PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG, STATISTICS_FLAG,
|
||||||
};
|
};
|
||||||
@@ -236,6 +236,8 @@ impl Detection {
|
|||||||
};
|
};
|
||||||
let ch_str = &get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"])
|
let ch_str = &get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"])
|
||||||
.unwrap_or_default();
|
.unwrap_or_default();
|
||||||
|
let eid = get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]).unwrap_or_else(|| "-".to_owned());
|
||||||
|
let default_output = DEFAULT_DETAILS.get(&format!("{}_{}",ch_str, &eid)).unwrap_or(&"-".to_string()).to_string();
|
||||||
let detect_info = DetectInfo {
|
let detect_info = DetectInfo {
|
||||||
filepath: record_info.evtx_filepath.to_string(),
|
filepath: record_info.evtx_filepath.to_string(),
|
||||||
rulepath: rule.rulepath.to_string(),
|
rulepath: rule.rulepath.to_string(),
|
||||||
@@ -243,8 +245,7 @@ impl Detection {
|
|||||||
computername: record_info.record["Event"]["System"]["Computer"]
|
computername: record_info.record["Event"]["System"]["Computer"]
|
||||||
.to_string()
|
.to_string()
|
||||||
.replace('\"', ""),
|
.replace('\"', ""),
|
||||||
eventid: get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"])
|
eventid: eid,
|
||||||
.unwrap_or_else(|| "-".to_owned()),
|
|
||||||
channel: CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(),
|
channel: CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(),
|
||||||
alert: rule.yaml["title"].as_str().unwrap_or("").to_string(),
|
alert: rule.yaml["title"].as_str().unwrap_or("").to_string(),
|
||||||
detail: String::default(),
|
detail: String::default(),
|
||||||
@@ -254,7 +255,7 @@ impl Detection {
|
|||||||
};
|
};
|
||||||
MESSAGES.lock().unwrap().insert(
|
MESSAGES.lock().unwrap().insert(
|
||||||
&record_info.record,
|
&record_info.record,
|
||||||
rule.yaml["details"].as_str().unwrap_or("").to_string(),
|
rule.yaml["details"].as_str().unwrap_or(&default_output).to_string(),
|
||||||
detect_info,
|
detect_info,
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -65,6 +65,7 @@ lazy_static! {
|
|||||||
pub static ref PIVOT_KEYWORD_LIST_FLAG: bool =
|
pub static ref PIVOT_KEYWORD_LIST_FLAG: bool =
|
||||||
configs::CONFIG.read().unwrap().args.pivot_keywords_list;
|
configs::CONFIG.read().unwrap().args.pivot_keywords_list;
|
||||||
pub static ref IS_HIDE_RECORD_ID: bool = configs::CONFIG.read().unwrap().args.hide_record_id;
|
pub static ref IS_HIDE_RECORD_ID: bool = configs::CONFIG.read().unwrap().args.hide_record_id;
|
||||||
|
pub static ref DEFAULT_DETAILS: HashMap<String, String> = Message::get_default_details();
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Default for Message {
|
impl Default for Message {
|
||||||
@@ -224,6 +225,42 @@ impl Message {
|
|||||||
pub fn clear(&mut self) {
|
pub fn clear(&mut self) {
|
||||||
self.map.clear();
|
self.map.clear();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// detailsのdefault値をファイルから読み取る関数
|
||||||
|
pub fn get_default_details() -> HashMap<String, String> {
|
||||||
|
let read_result = utils::read_csv(&format!("{}/default_details.txt", configs::CONFIG.read().unwrap().args.config.as_path().display()));
|
||||||
|
match read_result {
|
||||||
|
Err(_e) => {
|
||||||
|
AlertMessage::alert(&_e).ok();
|
||||||
|
HashMap::new()
|
||||||
|
},
|
||||||
|
Ok(lines) => {
|
||||||
|
let mut ret:HashMap<String, String> = HashMap::new();
|
||||||
|
lines.into_iter().try_for_each(|line| -> Result<(), String> {
|
||||||
|
let provider = match line.get(0) {
|
||||||
|
Some(_provider) => _provider.trim(),
|
||||||
|
_ => return Result::Err("Failed to read provider in default_details.txt.".to_string())
|
||||||
|
};
|
||||||
|
let eid = match line.get(1) {
|
||||||
|
Some(eid_str) => {
|
||||||
|
match eid_str.trim().parse::<i64>() {
|
||||||
|
Ok(_eid) => _eid,
|
||||||
|
_ => return Result::Err("Parse Error EventID in default_details.txt.".to_string())
|
||||||
|
}
|
||||||
|
},
|
||||||
|
_ => return Result::Err("Failed to read EventID in default_details.txt.".to_string())
|
||||||
|
};
|
||||||
|
let details = match line.get(2) {
|
||||||
|
Some(detail) => detail.trim(),
|
||||||
|
_ => return Result::Err("Failed to read details in default_details.txt.".to_string())
|
||||||
|
};
|
||||||
|
ret.insert(format!("{}_{}", provider, eid), details.to_string());
|
||||||
|
Ok(())
|
||||||
|
}).ok();
|
||||||
|
ret
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl AlertMessage {
|
impl AlertMessage {
|
||||||
|
|||||||
Reference in New Issue
Block a user