CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Usage menu update (#302)

Browse Source 
* Usage menu update

* usage menuの微調整

* fixed options #302

- changed show-deprecated to enable-deprecated-rules
- changed csv-timeline to output
- change show-noisyalerts to enable-noisy-rules

* fixed option #302

- changed starttimeline to start-timeline

* fixed option #302

- changed q to quiet option

* fixed options #302

- changed endtimeline to end-timeline option
- changed threadnum to thread-number option

Co-authored-by: DustInDark <nextsasasa@gmail.com>
This commit is contained in:
Yamato Security
2021-12-19 20:03:39 +09:00
committed by GitHub
parent 692fdae9a0
commit a023ba46a6
6 changed files with 41 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/afterfact.rs
View File

@@ -43,12 +43,8 @@ pub fn after_fact() {
process::exit(1);
};
let mut displayflag = false;
let mut target: Box<dyn io::Write> = if let Some(csv_path) = configs::CONFIG
.read()
.unwrap()
.args
.value_of("csv-timeline")
{
let mut target: Box<dyn io::Write> =
if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("output") {
// ファイル出力する場合
match File::create(csv_path) {
Ok(file) => Box::new(BufWriter::new(file)),

30
src/detections/configs.rs
View File

@@ -52,22 +52,22 @@ fn build_app<'a>() -> ArgMatches<'a> {
return ArgMatches::default();
}
let usages = "-f --filepath=[FILEPATH] 'File path to one .evtx file'
--csv-timeline=[CSV_TIMELINE] 'Save the timeline in CSV format'
let usages = "-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
-f --filepath=[FILEPATH] 'File path to one .evtx file'
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. Example: results.csv'
-v --verbose 'Output verbose information'
-D --enable-deprecated-rules 'Enable sigma rules marked as deprecated'
-n --enable-noisy-rules 'Enable rules marked as noisy'
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)'
--start-timeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--end-timeline=[ENDTIMELINE] 'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
--verbose 'Output verbose information to target event file path and rule file'
--starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--endtimeline=[ENDTIMELINE]'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
-q 'Quiet mode. Do not display the launch banner'
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)'
-u --utc 'Output time in UTC format (default: local time)'
-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
-t --thread-number=[NUMBER] 'Thread number (default: optimal number for performance)'
-s --statistics 'Prints statistics of event IDs'
-n --show-noisyalerts 'do not exclude noisy rules'
-t --threadnum=[NUM] 'Thread number (default: optimal number for performance)'
--show-deprecated 'do not exclude rules with YAML's status deprecated'
-q --quiet 'Quiet mode. Do not display the launch banner'
--contributors 'Prints the list of contributors'";
App::new(&program)
.about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!")
@@ -131,8 +131,8 @@ pub struct TargetEventTime {
impl TargetEventTime {
pub fn new() -> Self {
let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline")
{
let start_time =
if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-timeline") {
match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
.or_else(|_| DateTime::parse_from_str(s_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
{
@@ -149,7 +149,7 @@ impl TargetEventTime {
} else {
None
};
let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") {
let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-timeline") {
match DateTime::parse_from_str(e_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00
.or_else(|_| DateTime::parse_from_str(e_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00
{

2
src/detections/utils.rs
View File

@@ -184,7 +184,7 @@ pub fn get_thread_num() -> usize {
let conf = configs::CONFIG.read().unwrap();
let threadnum = &conf
.args
.value_of("threadnum")
.value_of("thread-number")
.unwrap_or(def_thread_num_str.as_str());
return threadnum.parse::<usize>().unwrap().clone();
}

2
src/filter.rs
View File

@@ -18,7 +18,7 @@ pub fn exclude_ids() -> RuleExclude {
.read()
.unwrap()
.args
.is_present("show-noisyalerts")
.is_present("enable-noisy-rules")
{
ids += "\n"; // 改行を入れないとexclude-rulesの一番最後の行とnoisy-rules.txtの一番最初の行が一行にまとめられてしまう。
match fs::read("config/noisy-rules.txt") {

2
src/main.rs
View File

@@ -50,7 +50,7 @@ impl App {
fn exec(&mut self) {
let analysis_start_time: DateTime<Local> = Local::now();
if !configs::CONFIG.read().unwrap().args.is_present("q") {
if !configs::CONFIG.read().unwrap().args.is_present("quiet") {
self.output_logo();
println!("");
self.output_eggs(&format!(

2
src/yaml.rs
View File

@@ -156,7 +156,7 @@ impl ParseYaml {
.read()
.unwrap()
.args
.is_present("show-deprecated")
.is_present("enable-deprecated-rules")
{
let rule_status = &yaml_doc["status"].as_str();
if rule_status.is_some() && rule_status.unwrap() == "deprecated" {