CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

設計変更、コマンドライン オプション受け取るように修正

Browse Source
This commit is contained in:
akiranishikawa
2020-09-25 17:25:55 +09:00
parent e49e90931e
commit a5b1268878
6 changed files with 121 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
src/detections/detection.rs Normal file
View File

@@ -0,0 +1,67 @@
extern crate quick_xml;
use std::collections::BTreeMap;
use std::collections::HashMap;
use crate::models::event;
use evtx::EvtxParser;
use crate::detections::common;
use crate::detections::security;
use crate::detections::system;
use crate::detections::application;
use quick_xml::de::{DeError};
#[derive(Debug)]
pub struct Detection {
timeline_list : BTreeMap<String, String>,
}
impl Detection {
pub fn new() -> Detection {
Detection {
timeline_list: BTreeMap::new(),
}
}
pub fn start(&mut self, mut parser: EvtxParser<std::fs::File>) -> Result<(), DeError> {
let mut common: common::Common = common::Common::new();
let mut security = security::Security::new();
let mut system = system::System::new();
let mut application = application::Application::new();
for record in parser.records() {
match record {
Ok(r) => {
let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
let event_id = event.system.event_id.to_string();
let channel = event.system.channel.to_string();
let event_data = event.parse_event_data();
&common.detection(&event.system, &event_data);
//&common.detection(&event.system, &event_data);
if channel == "Security" {
&security.detection(event_id, &event.system, event_data);
} else if channel == "System" {
&system.detection();
} else if channel == "Application" {
&application.detection();
} else {
//&other.detection();
}
},
Err(e) => eprintln!("{}", e),
}
}
////////////////////////////
// 表示
////////////////////////////
common.disp();
security.disp();
return Ok(())
}
}