Usage menu update (#302)
* Usage menu update * usage menuの微調整 * fixed options #302 - changed show-deprecated to enable-deprecated-rules - changed csv-timeline to output - change show-noisyalerts to enable-noisy-rules * fixed option #302 - changed starttimeline to start-timeline * fixed option #302 - changed q to quiet option * fixed options #302 - changed endtimeline to end-timeline option - changed threadnum to thread-number option Co-authored-by: DustInDark <nextsasasa@gmail.com>
This commit is contained in:
Yamato Security
GitHub
@@ -43,12 +43,8 @@ pub fn after_fact() {
|
|||||||
process::exit(1);
|
process::exit(1);
|
||||||
};
|
};
|
||||||
let mut displayflag = false;
|
let mut displayflag = false;
|
||||||
let mut target: Box<dyn io::Write> = if let Some(csv_path) = configs::CONFIG
|
let mut target: Box<dyn io::Write> =
|
||||||
.read()
|
if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("output") {
|
||||||
.unwrap()
|
|
||||||
.args
|
|
||||||
.value_of("csv-timeline")
|
|
||||||
{
|
|
||||||
// ファイル出力する場合
|
// ファイル出力する場合
|
||||||
match File::create(csv_path) {
|
match File::create(csv_path) {
|
||||||
Ok(file) => Box::new(BufWriter::new(file)),
|
Ok(file) => Box::new(BufWriter::new(file)),
|
||||||
|
|||||||
@@ -52,22 +52,22 @@ fn build_app<'a>() -> ArgMatches<'a> {
|
|||||||
return ArgMatches::default();
|
return ArgMatches::default();
|
||||||
}
|
}
|
||||||
|
|
||||||
let usages = "-f --filepath=[FILEPATH] 'File path to one .evtx file'
|
let usages = "-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
|
||||||
--csv-timeline=[CSV_TIMELINE] 'Save the timeline in CSV format'
|
-f --filepath=[FILEPATH] 'File path to one .evtx file'
|
||||||
|
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
|
||||||
|
-o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. Example: results.csv'
|
||||||
|
-v --verbose 'Output verbose information'
|
||||||
|
-D --enable-deprecated-rules 'Enable sigma rules marked as deprecated'
|
||||||
|
-n --enable-noisy-rules 'Enable rules marked as noisy'
|
||||||
|
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)'
|
||||||
|
--start-timeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
|
||||||
|
--end-timeline=[ENDTIMELINE] 'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
|
||||||
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
|
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
|
||||||
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
|
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
|
||||||
--verbose 'Output verbose information to target event file path and rule file'
|
|
||||||
--starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
|
|
||||||
--endtimeline=[ENDTIMELINE]'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
|
|
||||||
-q 'Quiet mode. Do not display the launch banner'
|
|
||||||
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
|
|
||||||
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)'
|
|
||||||
-u --utc 'Output time in UTC format (default: local time)'
|
-u --utc 'Output time in UTC format (default: local time)'
|
||||||
-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
|
-t --thread-number=[NUMBER] 'Thread number (default: optimal number for performance)'
|
||||||
-s --statistics 'Prints statistics of event IDs'
|
-s --statistics 'Prints statistics of event IDs'
|
||||||
-n --show-noisyalerts 'do not exclude noisy rules'
|
-q --quiet 'Quiet mode. Do not display the launch banner'
|
||||||
-t --threadnum=[NUM] 'Thread number (default: optimal number for performance)'
|
|
||||||
--show-deprecated 'do not exclude rules with YAML's status deprecated'
|
|
||||||
--contributors 'Prints the list of contributors'";
|
--contributors 'Prints the list of contributors'";
|
||||||
App::new(&program)
|
App::new(&program)
|
||||||
.about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!")
|
.about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!")
|
||||||
@@ -131,8 +131,8 @@ pub struct TargetEventTime {
|
|||||||
|
|
||||||
impl TargetEventTime {
|
impl TargetEventTime {
|
||||||
pub fn new() -> Self {
|
pub fn new() -> Self {
|
||||||
let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline")
|
let start_time =
|
||||||
{
|
if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-timeline") {
|
||||||
match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
|
match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
|
||||||
.or_else(|_| DateTime::parse_from_str(s_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
|
.or_else(|_| DateTime::parse_from_str(s_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
|
||||||
{
|
{
|
||||||
@@ -149,7 +149,7 @@ impl TargetEventTime {
|
|||||||
} else {
|
} else {
|
||||||
None
|
None
|
||||||
};
|
};
|
||||||
let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") {
|
let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-timeline") {
|
||||||
match DateTime::parse_from_str(e_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
|
match DateTime::parse_from_str(e_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
|
||||||
.or_else(|_| DateTime::parse_from_str(e_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
|
.or_else(|_| DateTime::parse_from_str(e_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -184,7 +184,7 @@ pub fn get_thread_num() -> usize {
|
|||||||
let conf = configs::CONFIG.read().unwrap();
|
let conf = configs::CONFIG.read().unwrap();
|
||||||
let threadnum = &conf
|
let threadnum = &conf
|
||||||
.args
|
.args
|
||||||
.value_of("threadnum")
|
.value_of("thread-number")
|
||||||
.unwrap_or(def_thread_num_str.as_str());
|
.unwrap_or(def_thread_num_str.as_str());
|
||||||
return threadnum.parse::<usize>().unwrap().clone();
|
return threadnum.parse::<usize>().unwrap().clone();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ pub fn exclude_ids() -> RuleExclude {
|
|||||||
.read()
|
.read()
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.args
|
.args
|
||||||
.is_present("show-noisyalerts")
|
.is_present("enable-noisy-rules")
|
||||||
{
|
{
|
||||||
ids += "\n"; // 改行を入れないとexclude-rulesの一番最後の行とnoisy-rules.txtの一番最初の行が一行にまとめられてしまう。
|
ids += "\n"; // 改行を入れないとexclude-rulesの一番最後の行とnoisy-rules.txtの一番最初の行が一行にまとめられてしまう。
|
||||||
match fs::read("config/noisy-rules.txt") {
|
match fs::read("config/noisy-rules.txt") {
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ impl App {
|
|||||||
|
|
||||||
fn exec(&mut self) {
|
fn exec(&mut self) {
|
||||||
let analysis_start_time: DateTime<Local> = Local::now();
|
let analysis_start_time: DateTime<Local> = Local::now();
|
||||||
if !configs::CONFIG.read().unwrap().args.is_present("q") {
|
if !configs::CONFIG.read().unwrap().args.is_present("quiet") {
|
||||||
self.output_logo();
|
self.output_logo();
|
||||||
println!("");
|
println!("");
|
||||||
self.output_eggs(&format!(
|
self.output_eggs(&format!(
|
||||||
|
|||||||
@@ -156,7 +156,7 @@ impl ParseYaml {
|
|||||||
.read()
|
.read()
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.args
|
.args
|
||||||
.is_present("show-deprecated")
|
.is_present("enable-deprecated-rules")
|
||||||
{
|
{
|
||||||
let rule_status = &yaml_doc["status"].as_str();
|
let rule_status = &yaml_doc["status"].as_str();
|
||||||
if rule_status.is_some() && rule_status.unwrap() == "deprecated" {
|
if rule_status.is_some() && rule_status.unwrap() == "deprecated" {
|
||||||
|
|||||||
Reference in New Issue
Block a user