CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #30 from YamatoSecurity/feature/yaml

Browse Source 
Feature/yaml
This commit is contained in:
ichiichi
2020-11-11 23:22:47 +09:00
committed by GitHub
parent d3ec46e6ed f8639bfe85
commit a794e011a9
12 changed files with 119 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Cargo.lock generated
View File

@@ -533,6 +533,12 @@ version = "0.2.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f2f96b10ec2560088a8e76961b00d47107b3a625fecb76dedb29ee7ccbf98235"
[[package]]
name = "linked-hash-map"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8dd5a6d5999d9907cda8ed67bbd137d3af8085216c2ac62de5be860bd41f304a"
[[package]]
name = "log"
version = "0.4.11"
@@ -1073,15 +1079,6 @@ dependencies = [
"winapi",
]
[[package]]
name = "toml"
version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a"
dependencies = [
"serde",
]
[[package]]
name = "unicode-width"
version = "0.1.8"
@@ -1200,5 +1197,14 @@ dependencies = [
"serde",
"serde_derive",
"serde_json",
"toml",
"yaml-rust",
]
[[package]]
name = "yaml-rust"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "39f0c922f1a334134dc2f7a8b67dc5d25f0735263feec974345ff706bcf20b0d"
dependencies = [
"linked-hash-map",
]

2
Cargo.toml
View File

@@ -17,9 +17,9 @@ regex = "1"
csv = "1.1"
base64 = "*"
flate2 = "1.0"
toml = "0.5"
lazy_static = "1.4.0"
chrono = "0.4.19"
yaml-rust = "0.4"
[target.x86_64-pc-windows-gnu]
linker = "x86_64-w64-mingw32-gcc"

2
rules/test.toml
View File

@@ -1,2 +0,0 @@
[rule]
severity = "high"

6
src/detections/configs.rs
View File

@@ -1,4 +1,3 @@
use crate::toml;
use clap::{App, AppSettings, Arg, ArgMatches};
use std::fs::File;
use std::io::prelude::*;
@@ -9,7 +8,6 @@ pub struct SingletonReader {
pub regex: Vec<Vec<String>>,
pub whitelist: Vec<Vec<String>>,
pub args: ArgMatches<'static>,
pub rules: toml::ParseToml,
}
pub fn singleton() -> Box<SingletonReader> {
@@ -18,14 +16,10 @@ pub fn singleton() -> Box<SingletonReader> {
unsafe {
ONCE.call_once(|| {
let mut toml = toml::ParseToml::new();
&toml.read_dir("rules".to_string());
let singleton = SingletonReader {
regex: read_csv("regexes.txt"),
whitelist: read_csv("whitelist.txt"),
args: build_app().get_matches(),
rules: toml,
};
SINGLETON = Some(Box::new(singleton));

2
src/lib.rs
View File

@@ -1,4 +1,4 @@
pub mod detections;
pub mod models;
pub mod omikuji;
pub mod toml;
pub mod yaml;

1
src/models/mod.rs
View File

@@ -1,2 +1 @@
pub mod event;
pub mod rule;

14
src/models/rule.rs
View File

@@ -1,14 +0,0 @@
extern crate serde;
use serde::Deserialize;
#[derive(Debug, Deserialize, Clone)]
pub struct Rule {
pub severity: Option<String>,
pub name: Option<String>,
pub message: Option<String>,
}
#[derive(Debug, Deserialize, Clone)]
pub struct Toml {
pub rule: Rule,
}

90
src/toml.rs
View File

@@ -1,90 +0,0 @@
extern crate serde_derive;
extern crate toml;
use crate::models::rule;
use std::fs;
use std::io;
use std::io::{BufReader, Read};
use std::path::{Path, PathBuf};
#[derive(Clone)]
pub struct ParseToml {
pub rules: Vec<Result<rule::Toml, toml::de::Error>>,
}
impl ParseToml {
pub fn new() -> ParseToml {
ParseToml { rules: Vec::new() }
}
pub fn read_file(&self, path: PathBuf) -> Result<String, String> {
let mut file_content = String::new();
let mut fr = fs::File::open(path)
.map(|f| BufReader::new(f))
.map_err(|e| e.to_string())?;
fr.read_to_string(&mut file_content)
.map_err(|e| e.to_string())?;
Ok(file_content)
}
pub fn read_dir<P: AsRef<Path>>(&mut self, path: P) -> io::Result<String> {
Ok(fs::read_dir(path)?
.filter_map(|entry| {
let entry = entry.ok()?;
if entry.file_type().ok()?.is_file() {
match self.read_file(entry.path()) {
Ok(s) => &self.rules.push(toml::from_str(&s)),
Err(e) => panic!("fail to read file: {}", e),
};
}
if entry.file_type().ok()?.is_dir() {
self.read_dir(entry.path());
}
Some("")
})
.collect())
}
}
#[cfg(test)]
mod tests {
use crate::toml;
#[test]
fn test_read_toml() {
let mut toml = toml::ParseToml::new();
&toml.read_dir("test_files/rules".to_string());
for rule in toml.rules {
match rule {
Ok(_rule) => {
if let Some(severity) = _rule.rule.severity {
assert_eq!("high", severity);
}
}
Err(_) => (),
}
}
}
#[test]
fn test_read_multiple_dir() {
let mut toml = toml::ParseToml::new();
&toml.read_dir("test_files".to_string());
for rule in toml.rules {
match rule {
Ok(_rule) => {
if let Some(severity) = _rule.rule.severity {
assert_eq!("high", severity);
}
}
Err(_) => (),
}
}
}
}

82
src/yaml.rs Normal file
View File

@@ -0,0 +1,82 @@
extern crate serde_derive;
extern crate yaml_rust;
use std::fs;
use std::io;
use std::io::{BufReader, Read};
use std::path::{Path, PathBuf};
use yaml_rust::YamlLoader;
pub struct ParseYaml {
pub rules: Vec<yaml_rust::Yaml>,
}
impl ParseYaml {
pub fn new() -> ParseYaml {
ParseYaml { rules: Vec::new() }
}
pub fn read_file(&self, path: PathBuf) -> Result<String, String> {
let mut file_content = String::new();
let mut fr = fs::File::open(path)
.map(|f| BufReader::new(f))
.map_err(|e| e.to_string())?;
fr.read_to_string(&mut file_content)
.map_err(|e| e.to_string())?;
Ok(file_content)
}
pub fn read_dir<P: AsRef<Path>>(&mut self, path: P) -> io::Result<String> {
Ok(fs::read_dir(path)?
.filter_map(|entry| {
let entry = entry.ok()?;
if entry.file_type().ok()?.is_file() {
match self.read_file(entry.path()) {
Ok(s) => {
let docs = YamlLoader::load_from_str(&s).unwrap();
for i in docs {
if i["enabled"].as_bool().unwrap() {
&self.rules.push(i);
}
}
}
Err(e) => panic!("fail to read file: {}", e),
};
}
if entry.file_type().ok()?.is_dir() {
self.read_dir(entry.path());
}
Some("")
})
.collect())
}
}
#[cfg(test)]
mod tests {
use crate::yaml;
#[test]
fn test_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
&yaml.read_dir("test_files/rules/yaml/".to_string());
for rule in yaml.rules {
if rule["title"].as_str().unwrap() == "Sysmon Check command lines" {
assert_eq!(
"*",
rule["detection"]["selection"]["CommandLine"]
.as_str()
.unwrap()
);
assert_eq!(
1,
rule["detection"]["selection"]["EventID"].as_i64().unwrap()
);
}
}
}
}

2
test_files/rules/test.toml
View File

@@ -1,2 +0,0 @@
[rule]
severity = "high"

3
test_files/rules/test2.toml
View File

@@ -1,3 +0,0 @@
[rule]
severity = "high"
name = "test2"

19
test_files/rules/yaml/1.yml Normal file
View File

@@ -0,0 +1,19 @@
title: Sysmon Check command lines
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
EventLog: Sysmon
EventID: 1
CommandLine: '*'
condition: selection
falsepositives:
- unknown
level: medium
output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
creation_date: 2020/11/8
uodated_date: 2020/11/8