From 043318b11afef49eecf7c23c46fff878994b3165 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 21 Jun 2022 13:25:01 +0900 Subject: [PATCH 01/22] added exclude-status option #596 --- src/detections/configs.rs | 15 +++++++++++++-- src/yaml.rs | 16 ++++++++++++++-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 883d7858..ff6f3ac9 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -32,6 +32,8 @@ lazy_static! { pub static ref TERM_SIZE: Option<(Width, Height)> = terminal_size(); pub static ref TARGET_EXTENSIONS: HashSet = get_target_extensions(CONFIG.read().unwrap().args.evtx_file_ext.as_ref()); + pub static ref EXCLUDE_STATUS: HashSet = + convert_option_vecs_to_hs(CONFIG.read().unwrap().args.exclude_status.as_ref()); } pub struct ConfigReader<'a> { @@ -211,6 +213,10 @@ pub struct Config { /// Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2) #[clap(long = "target-file-ext", multiple_values = true)] pub evtx_file_ext: Option>, + + /// Exclude by status level (ex: expreimental test) + #[clap(long = "exclude-status", multiple_values = true)] + pub exclude_status: Option>, } impl ConfigReader<'_> { @@ -461,12 +467,17 @@ pub fn load_pivot_keywords(path: &str) { /// --target-file-extで追加された拡張子から、調査対象ファイルの拡張子セットを返す関数 pub fn get_target_extensions(arg: Option<&Vec>) -> HashSet { - let mut target_file_extensions: HashSet = - arg.unwrap_or(&Vec::new()).iter().cloned().collect(); + let mut target_file_extensions: HashSet = convert_option_vecs_to_hs(arg); target_file_extensions.insert(String::from("evtx")); target_file_extensions } +/// Option>の内容をHashSetに変換する関数 +pub fn convert_option_vecs_to_hs(arg: Option<&Vec>) -> HashSet { + let ret: HashSet = arg.unwrap_or(&Vec::new()).iter().cloned().collect(); + ret +} + #[derive(Debug, Clone)] pub struct EventInfo { pub evttitle: String, diff --git a/src/yaml.rs b/src/yaml.rs index 49c1ba12..d47468e3 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -2,9 +2,9 @@ extern crate serde_derive; extern crate yaml_rust; use crate::detections::configs; +use crate::detections::configs::EXCLUDE_STATUS; use crate::detections::print::AlertMessage; -use crate::detections::print::ERROR_LOG_STACK; -use crate::detections::print::QUIET_ERRORS_FLAG; +use crate::detections::print::{ERROR_LOG_STACK, QUIET_ERRORS_FLAG}; use crate::filter::RuleExclude; use hashbrown::HashMap; use std::ffi::OsStr; @@ -237,6 +237,18 @@ impl ParseYaml { } } + let status = &yaml_doc["status"].as_str(); + if let Some(s) = status { + if EXCLUDE_STATUS.contains(&s.to_string()) { + let entry = self + .rule_load_cnt + .entry("excluded".to_string()) + .or_insert(0); + *entry += 1; + return Option::None; + } + } + self.rulecounter.insert( yaml_doc["ruletype"].as_str().unwrap_or("Other").to_string(), self.rulecounter From ec6e0b7c04eef83f3d94e49861254801c6303ddd Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 21 Jun 2022 15:11:58 +0900 Subject: [PATCH 02/22] updated changelog #596 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index b8e75cb8..fb2aa949 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **新機能:** - `--target-file-ext` オプションの追加。evtx以外の拡張子を指定する事ができます。ただし、ファイルの中身の形式はevtxファイル形式である必要があります。 (#586) (@hitenkoku) +- `--exclude-status` オプションの追加。ルール内の`status`フィールドをもとに、読み込み対象から除外するフィルタを利用することができます。 (#596) (@hitenkoku) **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f8a06e6..240aff28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **New Features:** - Added `--target-file-ext` option. You can specify additional file extensions to scan in addtition to the default `.evtx` files. For example, `--target-file-ext evtx_data` or multiple extensions with `--target-file-ext evtx1 evtx2`. (#586) (@hitenkoku) +- Added `--exclude-status` option: Exclude filter by `status` in a rule. (#596) (@hitenkoku) **Enhancements:** From d24a3e3b5898f2c4299a5ba8ab77d318050d9737 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 21 Jun 2022 15:12:32 +0900 Subject: [PATCH 03/22] updated readme #596 --- README-Japanese.md | 1 + README.md | 1 + src/detections/configs.rs | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README-Japanese.md b/README-Japanese.md index 33f4be56..26747b4b 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -338,6 +338,7 @@ OPTIONS: -d, --directory .evtxファイルを持つディレクトリのパス -D, --enable-deprecated-rules Deprecatedルールを有効にする --end-timeline 解析対象とするイベントログの終了時刻 (例: "2022-02-22 23:59:59 +09:00") + --exclude-status ... 読み込み対象外とするルール内でのステータス (ex: experimental) (ex: stable test) -f, --filepath 1つの.evtxファイルに対して解析を行う -F, --full-data 全てのフィールド情報を出力する -h, --help ヘルプ情報を表示する diff --git a/README.md b/README.md index efff6bb9..8e4a785a 100644 --- a/README.md +++ b/README.md @@ -336,6 +336,7 @@ OPTIONS: -d, --directory Directory of multiple .evtx files -D, --enable-deprecated-rules Enable rules marked as deprecated --end-timeline End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00") + --exclude-status ... Exclude by status in rule (ex: experimental) (ex: stable test) -f, --filepath File path to one .evtx file -F, --full-data Print all field information -h, --help Print help information diff --git a/src/detections/configs.rs b/src/detections/configs.rs index ff6f3ac9..17731171 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -214,7 +214,7 @@ pub struct Config { #[clap(long = "target-file-ext", multiple_values = true)] pub evtx_file_ext: Option>, - /// Exclude by status level (ex: expreimental test) + /// Exclude by status in rule (ex: experimental) (ex: stable test) #[clap(long = "exclude-status", multiple_values = true)] pub exclude_status: Option>, } From 08fc0461effaa80602656273d1f20531b2f73864 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 21 Jun 2022 15:25:20 +0900 Subject: [PATCH 04/22] fixed test --- test_files/rules/yaml/exclude1.yml | 4 ++-- test_files/rules/yaml/exclude2.yml | 10 ++-------- test_files/rules/yaml/exclude3.yml | 10 ++-------- test_files/rules/yaml/exclude4.yml | 14 ++------------ test_files/rules/yaml/exclude5.yml | 12 ++---------- test_files/rules/yaml/noisy1.yml | 6 ++---- test_files/rules/yaml/noisy2.yml | 24 +++--------------------- test_files/rules/yaml/noisy3.yml | 17 ++--------------- test_files/rules/yaml/noisy4.yml | 16 ++-------------- test_files/rules/yaml/noisy5.yml | 19 ++----------------- 10 files changed, 21 insertions(+), 111 deletions(-) diff --git a/test_files/rules/yaml/exclude1.yml b/test_files/rules/yaml/exclude1.yml index 76e3e73d..7fd19c8d 100644 --- a/test_files/rules/yaml/exclude1.yml +++ b/test_files/rules/yaml/exclude1.yml @@ -1,5 +1,5 @@ -title: Sysmon Check command lines -id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 +title: Excluded Rule Test 1 +id : 00000000-0000-0000-0000-000000000000 description: hogehoge enabled: true author: Yea diff --git a/test_files/rules/yaml/exclude2.yml b/test_files/rules/yaml/exclude2.yml index e17e37cf..89214921 100644 --- a/test_files/rules/yaml/exclude2.yml +++ b/test_files/rules/yaml/exclude2.yml @@ -1,13 +1,10 @@ -title: Possible Exploitation of Exchange RCE CVE-2021-42321 -author: Florian Roth, @testanull +title: Excluded Rule 2 date: 2021/11/18 -description: Detects log entries that appear in exploitation attempts against MS Exchange - RCE CVE-2021-42321 detection: condition: 'Cmdlet failed. Cmdlet Get-App, ' falsepositives: - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues -id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb +id: 00000000-0000-0000-0000-000000000000 level: critical logsource: product: windows @@ -15,7 +12,4 @@ logsource: references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 status: experimental -tags: -- attack.lateral_movement -- attack.t1210 ruletype: SIGMA diff --git a/test_files/rules/yaml/exclude3.yml b/test_files/rules/yaml/exclude3.yml index 45f43c4a..e5b79e6d 100644 --- a/test_files/rules/yaml/exclude3.yml +++ b/test_files/rules/yaml/exclude3.yml @@ -1,8 +1,5 @@ -title: Hidden Local User Creation -author: Christian Burkard +title: Excluded Rule 3 date: 2021/05/03 -description: Detects the creation of a local hidden user account which should not - happen for event ID 4720. detection: SELECTION_1: EventID: 4720 @@ -14,7 +11,7 @@ falsepositives: fields: - EventCode - AccountName -id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +id: 00000000-0000-0000-0000-000000000000 level: high logsource: product: windows @@ -22,7 +19,4 @@ logsource: references: - https://twitter.com/SBousseaden/status/1387743867663958021 status: experimental -tags: -- attack.persistence -- attack.t1136.001 ruletype: SIGMA diff --git a/test_files/rules/yaml/exclude4.yml b/test_files/rules/yaml/exclude4.yml index 06b76c48..95fe7061 100644 --- a/test_files/rules/yaml/exclude4.yml +++ b/test_files/rules/yaml/exclude4.yml @@ -1,8 +1,5 @@ -title: User Added to Local Administrators -author: Florian Roth +title: Excluded Rule 4 date: 2017/03/14 -description: This rule triggers on user accounts that are added to the local Administrators - group, which could be legitimate activity or a sign of privilege escalation activity detection: SELECTION_1: EventID: 4732 @@ -13,18 +10,11 @@ detection: SELECTION_4: SubjectUserName: '*$' condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4)) -falsepositives: -- Legitimate administrative activity -id: c265cf08-3f99-46c1-8d59-328247057d57 +id: 00000000-0000-0000-0000-000000000000 level: medium logsource: product: windows service: security modified: 2021/07/07 status: stable -tags: -- attack.privilege_escalation -- attack.t1078 -- attack.persistence -- attack.t1098 ruletype: SIGMA diff --git a/test_files/rules/yaml/exclude5.yml b/test_files/rules/yaml/exclude5.yml index 27ec53cc..b54b5eab 100644 --- a/test_files/rules/yaml/exclude5.yml +++ b/test_files/rules/yaml/exclude5.yml @@ -1,9 +1,5 @@ -title: Local User Creation -author: Patrick Bareiss +title: Excluded Rule 5 date: 2019/04/18 -description: Detects local user creation on windows servers, which shouldn't happen - in an Active Directory environment. Apply this Sigma Use Case on your windows server - logs and not on your DC logs. detection: SELECTION_1: EventID: 4720 @@ -15,7 +11,7 @@ fields: - EventCode - AccountName - AccountDomain -id: 66b6be3d-55d0-4f47-9855-d69df21740ea +id: 00000000-0000-0000-0000-000000000000 level: low logsource: product: windows @@ -24,8 +20,4 @@ modified: 2020/08/23 references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ status: experimental -tags: -- attack.persistence -- attack.t1136 -- attack.t1136.001 ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy1.yml b/test_files/rules/yaml/noisy1.yml index 6ea217b6..eab1c29a 100644 --- a/test_files/rules/yaml/noisy1.yml +++ b/test_files/rules/yaml/noisy1.yml @@ -1,7 +1,5 @@ -title: WMI Event Subscription -author: Tom Ueltschi (@c_APT_ure) +title: Noisy Rule Test1 date: 2019/01/12 -description: Detects creation of WMI event subscription persistence method detection: SELECTION_1: EventID: 19 @@ -12,7 +10,7 @@ detection: condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) falsepositives: - exclude legitimate (vetted) use of WMI event subscription in your network -id: 0f06a3a5-6a09-413f-8743-e6cf35561297 +id: 0090ea60-f4a2-43a8-8657-3a9a4ddcf547 level: high logsource: category: wmi_event diff --git a/test_files/rules/yaml/noisy2.yml b/test_files/rules/yaml/noisy2.yml index 2296fba4..20b18825 100644 --- a/test_files/rules/yaml/noisy2.yml +++ b/test_files/rules/yaml/noisy2.yml @@ -1,9 +1,6 @@ -title: Rare Schtasks Creations -author: Florian Roth +title: Noisy Rule Test2 date: 2017/03/23 -description: Detects rare scheduled tasks creations that only appear a few times per - time frame and could reveal password dumpers, backdoor installs or other types of - malicious code +description: excluded rule detection: SELECTION_1: EventID: 4698 @@ -11,21 +8,6 @@ detection: falsepositives: - Software installation - Software updates -id: b0d77106-7bb0-41fe-bd94-d1752164d066 +id: 8b8db936-172e-4bb7-9f84-ccc954d51d93 level: low -logsource: - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection (not in the baseline - recommendations by Microsoft). We also recommend extracting the Command field - from the embedded XML in the event data. - product: windows - service: security -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.persistence -- attack.t1053 -- car.2013-08-001 -- attack.t1053.005 ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy3.yml b/test_files/rules/yaml/noisy3.yml index 7e2071a0..8b4f209d 100644 --- a/test_files/rules/yaml/noisy3.yml +++ b/test_files/rules/yaml/noisy3.yml @@ -1,26 +1,13 @@ -title: Rare Service Installs -author: Florian Roth +title: Noisy Rule Test 3 date: 2017/03/08 -description: Detects rare service installs that only appear a few times per time frame - and could reveal password dumpers, backdoor installs or other types of malicious - services detection: SELECTION_1: EventID: 7045 condition: SELECTION_1 | count() by ServiceFileName < 5 -falsepositives: -- Software installation -- Software updates -id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae +id: 1703ba97-b2c2-4071-a241-a16d017d25d3 level: low logsource: product: windows service: system status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1050 -- car.2013-09-005 -- attack.t1543.003 ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy4.yml b/test_files/rules/yaml/noisy4.yml index 39bbd1a3..5157c38a 100644 --- a/test_files/rules/yaml/noisy4.yml +++ b/test_files/rules/yaml/noisy4.yml @@ -1,8 +1,5 @@ -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth +title: Noisy Rule Test 4 date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system detection: SELECTION_1: EventID: 529 @@ -14,20 +11,11 @@ detection: WorkstationName: '*' condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName) by WorkstationName > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 +id: 9f5663ce-6205-4753-b486-fb8498d1fae5 level: medium logsource: product: windows service: security modified: 2021/09/21 status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy5.yml b/test_files/rules/yaml/noisy5.yml index ddfc134a..7a4b62d2 100644 --- a/test_files/rules/yaml/noisy5.yml +++ b/test_files/rules/yaml/noisy5.yml @@ -1,8 +1,5 @@ -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth +title: Noisy Rule Test 5 date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system detection: SELECTION_1: EventID: 4776 @@ -12,23 +9,11 @@ detection: Workstation: '*' condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName) by Workstation > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 +id: 3546ce10-19b4-4c4c-9658-f4f3b5d27ae9 level: medium logsource: product: windows service: security modified: 2021/09/21 -related: -- id: e98374a6-e2d9-4076-9b5c-11bdb2569995 - type: derived status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 ruletype: SIGMA From 965e2bb91cd3f76124b8ac9c59525ddce725aa88 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 21 Jun 2022 16:30:24 +0900 Subject: [PATCH 05/22] update changelog and readme text --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 4 ++-- README.md | 2 +- src/detections/configs.rs | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index fb2aa949..afccf3a2 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,6 +1,6 @@ # 変更点 -## v1.4 [2022/XX/XX] +## v1.4.0 [2022/XX/XX] **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 240aff28..e1544c7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,11 @@ # Changes -## v1.4 [2022/XX/XX] +## v1.4.0 [2022/XX/XX] **New Features:** - Added `--target-file-ext` option. You can specify additional file extensions to scan in addtition to the default `.evtx` files. For example, `--target-file-ext evtx_data` or multiple extensions with `--target-file-ext evtx1 evtx2`. (#586) (@hitenkoku) -- Added `--exclude-status` option: Exclude filter by `status` in a rule. (#596) (@hitenkoku) +- Added `--exclude-status` option: You can ignore rules based on their `status`. (#596) (@hitenkoku) **Enhancements:** diff --git a/README.md b/README.md index 8e4a785a..01dc064e 100644 --- a/README.md +++ b/README.md @@ -336,7 +336,7 @@ OPTIONS: -d, --directory Directory of multiple .evtx files -D, --enable-deprecated-rules Enable rules marked as deprecated --end-timeline End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00") - --exclude-status ... Exclude by status in rule (ex: experimental) (ex: stable test) + --exclude-status ... Ignore rules according to status (ex: experimental) (ex: stable test) -f, --filepath File path to one .evtx file -F, --full-data Print all field information -h, --help Print help information diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 17731171..f6d06a61 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -214,7 +214,7 @@ pub struct Config { #[clap(long = "target-file-ext", multiple_values = true)] pub evtx_file_ext: Option>, - /// Exclude by status in rule (ex: experimental) (ex: stable test) + /// Ignore rules according to status (ex: experimental) (ex: stable test) #[clap(long = "exclude-status", multiple_values = true)] pub exclude_status: Option>, } From 2a827d34ca2877e0f67fcfee32fec0cf801f018a Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 22:38:24 +0900 Subject: [PATCH 06/22] changed noisy and excluded rule output and output condition #596 --- src/detections/detection.rs | 47 ++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index dfb01167..55afa139 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,6 +1,9 @@ extern crate csv; use crate::detections::configs; +use crate::detections::utils::write_color_buffer; +use termcolor::{BufferWriter, Color, ColorChoice}; + use crate::detections::pivot::insert_pivot_keyword; use crate::detections::print::AlertMessage; use crate::detections::print::DetectInfo; @@ -119,13 +122,11 @@ impl Detection { .filter_map(return_if_success) .collect(); if !*LOGONSUMMARY_FLAG { - let _ = &rulefile_loader - .rule_load_cnt - .insert(String::from("rule parsing error"), parseerror_count); Detection::print_rule_load_info( &rulefile_loader.rulecounter, &rulefile_loader.rule_load_cnt, &rulefile_loader.rule_status_cnt, + &parseerror_count, ); } ret @@ -363,6 +364,7 @@ impl Detection { rc: &HashMap, ld_rc: &HashMap, st_rc: &HashMap, + err_rc: &u128, ) { if *STATISTICS_FLAG { return; @@ -382,27 +384,40 @@ impl Detection { let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect(); let total_loaded_rule_cnt: u128 = sorted_st_rc.iter().map(|(_, v)| v.to_owned()).sum(); sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0)); + let args = &configs::CONFIG.read().unwrap().args; sorted_st_rc.into_iter().for_each(|(key, value)| { - let rate = if value == &0_u128 { - 0 as f64 - } else { - (*value as f64) / (total_loaded_rule_cnt as f64) * 100.0 - }; - //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する - println!( - "{} rules: {} ({:.2}%)", - make_ascii_titlecase(key.clone().as_mut()), - value, - rate - ); + if value != &0_u128 { + let rate = (*value as f64) / (total_loaded_rule_cnt as f64) * 100.0; + let deprecated_flag = if (key == "deprecated" && !args.enable_deprecated_rules)|| (key == "noisy" && !args.enable_noisy_rules) { + " (Disabled)" + } else { "" }; + //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する + println!( + "{} rules: {} ({:.2}%){}", + make_ascii_titlecase(key.clone().as_mut()), + value, + rate, + deprecated_flag, + ); + } }); + write_color_buffer( + BufferWriter::stdout(ColorChoice::Always), + Some(Color::Red), + &format!("Rule parsing errors: {}", err_rc) + ).ok(); println!(); let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect(); sorted_rc.sort_by(|a, b| a.0.cmp(b.0)); sorted_rc.into_iter().for_each(|(key, value)| { - println!("{} rules: {}", key, value); + write_color_buffer( + BufferWriter::stdout(ColorChoice::Always), + None, + &format!("{} rules: {}", key, value) + ).ok(); }); + println!("Total enabled detection rules: {}", total_loaded_rule_cnt); println!(); } From 63e3dc2b34e041412a6094a514f5cca89a4f6b39 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 22:39:39 +0900 Subject: [PATCH 07/22] cargo fmt --- src/detections/detection.rs | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 55afa139..948895a9 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -388,9 +388,13 @@ impl Detection { sorted_st_rc.into_iter().for_each(|(key, value)| { if value != &0_u128 { let rate = (*value as f64) / (total_loaded_rule_cnt as f64) * 100.0; - let deprecated_flag = if (key == "deprecated" && !args.enable_deprecated_rules)|| (key == "noisy" && !args.enable_noisy_rules) { + let deprecated_flag = if (key == "deprecated" && !args.enable_deprecated_rules) + || (key == "noisy" && !args.enable_noisy_rules) + { " (Disabled)" - } else { "" }; + } else { + "" + }; //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する println!( "{} rules: {} ({:.2}%){}", @@ -404,8 +408,9 @@ impl Detection { write_color_buffer( BufferWriter::stdout(ColorChoice::Always), Some(Color::Red), - &format!("Rule parsing errors: {}", err_rc) - ).ok(); + &format!("Rule parsing errors: {}", err_rc), + ) + .ok(); println!(); let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect(); @@ -414,8 +419,9 @@ impl Detection { write_color_buffer( BufferWriter::stdout(ColorChoice::Always), None, - &format!("{} rules: {}", key, value) - ).ok(); + &format!("{} rules: {}", key, value), + ) + .ok(); }); println!("Total enabled detection rules: {}", total_loaded_rule_cnt); From 3053a3579a1e61f030d662dd26fbcb2440b34aeb Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 22:57:59 +0900 Subject: [PATCH 08/22] fixed noisy disable flag and rule parse errors output position --- src/detections/detection.rs | 64 +++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 27 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 948895a9..a31afb4c 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -371,40 +371,22 @@ impl Detection { } let mut sorted_ld_rc: Vec<(&String, &u128)> = ld_rc.iter().collect(); sorted_ld_rc.sort_by(|a, b| a.0.cmp(b.0)); + let args = &configs::CONFIG.read().unwrap().args; + sorted_ld_rc.into_iter().for_each(|(key, value)| { + let disable_flag = if key == "noisy" && !args.enable_noisy_rules { + " (Disabled)" + } else { + "" + }; //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する println!( - "{} rules: {}", + "{} rules: {}{}", make_ascii_titlecase(key.clone().as_mut()), value, + disable_flag, ); }); - println!(); - - let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect(); - let total_loaded_rule_cnt: u128 = sorted_st_rc.iter().map(|(_, v)| v.to_owned()).sum(); - sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0)); - let args = &configs::CONFIG.read().unwrap().args; - sorted_st_rc.into_iter().for_each(|(key, value)| { - if value != &0_u128 { - let rate = (*value as f64) / (total_loaded_rule_cnt as f64) * 100.0; - let deprecated_flag = if (key == "deprecated" && !args.enable_deprecated_rules) - || (key == "noisy" && !args.enable_noisy_rules) - { - " (Disabled)" - } else { - "" - }; - //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する - println!( - "{} rules: {} ({:.2}%){}", - make_ascii_titlecase(key.clone().as_mut()), - value, - rate, - deprecated_flag, - ); - } - }); write_color_buffer( BufferWriter::stdout(ColorChoice::Always), Some(Color::Red), @@ -413,6 +395,34 @@ impl Detection { .ok(); println!(); + let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect(); + let total_loaded_rule_cnt: u128 = sorted_st_rc.iter().map(|(_, v)| v.to_owned()).sum(); + sorted_st_rc.sort_by(|a, b| a.0.cmp(b.0)); + sorted_st_rc.into_iter().for_each(|(key, value)| { + if value != &0_u128 { + let rate = (*value as f64) / (total_loaded_rule_cnt as f64) * 100.0; + let deprecated_flag = if key == "deprecated" && !args.enable_deprecated_rules { + " (Disabled)" + } else { + "" + }; + //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する + write_color_buffer( + BufferWriter::stdout(ColorChoice::Always), + None, + &format!( + "{} rules: {} ({:.2}%){}", + make_ascii_titlecase(key.clone().as_mut()), + value, + rate, + deprecated_flag + ), + ) + .ok(); + } + }); + println!(); + let mut sorted_rc: Vec<(&String, &u128)> = rc.iter().collect(); sorted_rc.sort_by(|a, b| a.0.cmp(b.0)); sorted_rc.into_iter().for_each(|(key, value)| { From 4da7b17784bbd9a34d9d0c7b471c76ac11f247b2 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:02:24 +0900 Subject: [PATCH 09/22] changed hidden rule count output when excluded and noisy and rule parsing error count 0 --- src/detections/detection.rs | 40 ++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index a31afb4c..1fa791fe 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -374,25 +374,29 @@ impl Detection { let args = &configs::CONFIG.read().unwrap().args; sorted_ld_rc.into_iter().for_each(|(key, value)| { - let disable_flag = if key == "noisy" && !args.enable_noisy_rules { - " (Disabled)" - } else { - "" - }; - //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する - println!( - "{} rules: {}{}", - make_ascii_titlecase(key.clone().as_mut()), - value, - disable_flag, - ); + if value != &0_u128 { + let disable_flag = if key == "noisy" && !args.enable_noisy_rules { + " (Disabled)" + } else { + "" + }; + //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する + println!( + "{} rules: {}{}", + make_ascii_titlecase(key.clone().as_mut()), + value, + disable_flag, + ); + } }); - write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), - Some(Color::Red), - &format!("Rule parsing errors: {}", err_rc), - ) - .ok(); + if err_rc != &0_u128 { + write_color_buffer( + BufferWriter::stdout(ColorChoice::Always), + Some(Color::Red), + &format!("Rule parsing errors: {}", err_rc), + ) + .ok(); + } println!(); let mut sorted_st_rc: Vec<(&String, &u128)> = st_rc.iter().collect(); From 5d9782f9714fa1a0d6b05633912dc0f216642cb4 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:06:23 +0900 Subject: [PATCH 10/22] fixed clippy error --- src/detections/detection.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 1fa791fe..597fce32 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -391,7 +391,7 @@ impl Detection { }); if err_rc != &0_u128 { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), Some(Color::Red), &format!("Rule parsing errors: {}", err_rc), ) @@ -412,7 +412,7 @@ impl Detection { }; //タイトルに利用するものはascii文字であることを前提として1文字目を大文字にするように変更する write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!( "{} rules: {} ({:.2}%){}", @@ -431,7 +431,7 @@ impl Detection { sorted_rc.sort_by(|a, b| a.0.cmp(b.0)); sorted_rc.into_iter().for_each(|(key, value)| { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!("{} rules: {}", key, value), ) From 30da5fb2a00261dceb99ecf4db1af2f01897317e Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:19:31 +0900 Subject: [PATCH 11/22] changed noisy rule counting and load condition --- src/yaml.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/yaml.rs b/src/yaml.rs index d47468e3..1713dbd6 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -233,7 +233,9 @@ impl ParseYaml { }; let entry = self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0); *entry += 1; - return Option::None; + if entry_key == "excluded" || (entry_key == "noisy" && !configs::CONFIG.read().unwrap().args.enable_noisy_rules ) { + return Option::None; + } } } From ade010b6e0f6ed316587a3c7a954fea3cc5dee54 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:20:26 +0900 Subject: [PATCH 12/22] cargo fmt --- src/yaml.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/yaml.rs b/src/yaml.rs index 1713dbd6..7e35c545 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -233,7 +233,10 @@ impl ParseYaml { }; let entry = self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0); *entry += 1; - if entry_key == "excluded" || (entry_key == "noisy" && !configs::CONFIG.read().unwrap().args.enable_noisy_rules ) { + if entry_key == "excluded" + || (entry_key == "noisy" + && !configs::CONFIG.read().unwrap().args.enable_noisy_rules) + { return Option::None; } } From 1217899f1afe038462612d95ce87dbc270b5a868 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:29:56 +0900 Subject: [PATCH 13/22] fixed error --- src/afterfact.rs | 4 ++-- src/detections/print.rs | 4 ++-- src/detections/utils.rs | 2 +- src/main.rs | 30 +++++++++++++++--------------- src/options/level_tuning.rs | 4 ++-- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index a6edaa50..0ac39e53 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -481,7 +481,7 @@ fn _print_unique_results( // output total results write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!( "{} {}: {}", @@ -501,7 +501,7 @@ fn _print_unique_results( head_word, level_name, tail_word, counts_by_level[i] ); write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), _get_output_color(color_map, level_name), &output_raw_str, ) diff --git a/src/detections/print.rs b/src/detections/print.rs index d74875d7..a63bd91e 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -324,7 +324,7 @@ impl AlertMessage { /// ERRORメッセージを表示する関数 pub fn alert(contents: &str) -> io::Result<()> { write_color_buffer( - BufferWriter::stderr(ColorChoice::Always), + &BufferWriter::stderr(ColorChoice::Always), None, &format!("[ERROR] {}", contents), ) @@ -333,7 +333,7 @@ impl AlertMessage { /// WARNメッセージを表示する関数 pub fn warn(contents: &str) -> io::Result<()> { write_color_buffer( - BufferWriter::stderr(ColorChoice::Always), + &BufferWriter::stderr(ColorChoice::Always), None, &format!("[WARN] {}", contents), ) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 7f20781b..5eac37ae 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -242,7 +242,7 @@ pub fn create_rec_info(data: Value, path: String, keys: &[String]) -> EvtxRecord * 標準出力のカラー出力設定を指定した値に変更し画面出力を行う関数 */ pub fn write_color_buffer( - wtr: BufferWriter, + wtr: &BufferWriter, color: Option, output_str: &str, ) -> io::Result<()> { diff --git a/src/main.rs b/src/main.rs index bf6a4797..7aeb3b2d 100644 --- a/src/main.rs +++ b/src/main.rs @@ -117,7 +117,7 @@ impl App { Ok(output) => { if output != "You currently have the latest rules." { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, "Rules updated successfully.", ) @@ -170,7 +170,7 @@ impl App { if *STATISTICS_FLAG { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, "Generating Event ID Statistics", ) @@ -179,7 +179,7 @@ impl App { } if *LOGONSUMMARY_FLAG { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, "Generating Logons Summary", ) @@ -262,7 +262,7 @@ impl App { return; } else { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &configs::CONFIG.read().unwrap().headless_help, ) @@ -274,7 +274,7 @@ impl App { let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time); println!(); write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!("Elapsed Time: {}", &analysis_duration.hhmmssxxx()), ) @@ -329,15 +329,15 @@ impl App { ) .ok(); }); - write_color_buffer(BufferWriter::stdout(ColorChoice::Always), None, &output).ok(); + write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &output).ok(); } else { //標準出力の場合 let output = "The following pivot keywords were found:".to_string(); - write_color_buffer(BufferWriter::stdout(ColorChoice::Always), None, &output).ok(); + write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &output).ok(); pivot_key_unions.iter().for_each(|(key, pivot_keyword)| { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &create_output(String::default(), key, pivot_keyword), ) @@ -425,7 +425,7 @@ impl App { fn print_contributors(&self) { match fs::read_to_string("./contributors.txt") { Ok(contents) => { - write_color_buffer(BufferWriter::stdout(ColorChoice::Always), None, &contents).ok(); + write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &contents).ok(); } Err(err) => { AlertMessage::alert(&format!("{}", err)).ok(); @@ -441,7 +441,7 @@ impl App { .min_level .to_uppercase(); write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!("Analyzing event files: {:?}", evtx_files.len()), ) @@ -667,7 +667,7 @@ impl App { Some(Color::Green) }; write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), output_color, &content, ) @@ -686,7 +686,7 @@ impl App { None => {} Some(path) => { let content = fs::read_to_string(path).unwrap_or_default(); - write_color_buffer(BufferWriter::stdout(ColorChoice::Always), None, &content).ok(); + write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &content).ok(); } } } @@ -700,7 +700,7 @@ impl App { let hayabusa_rule_repo = Repository::open(Path::new("rules")); if hayabusa_repo.is_err() && hayabusa_rule_repo.is_err() { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, "Attempting to git clone the hayabusa-rules repository into the rules folder.", ) @@ -879,7 +879,7 @@ impl App { .entry(tmp[3].to_string()) .or_insert(0b0) += 1; write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!( "[Updated] {} (Modified: {} | Path: {})", @@ -896,7 +896,7 @@ impl App { Ok("Rule updated".to_string()) } else { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, "You currently have the latest rules.", ) diff --git a/src/options/level_tuning.rs b/src/options/level_tuning.rs index f378ec1f..c7a7bf80 100644 --- a/src/options/level_tuning.rs +++ b/src/options/level_tuning.rs @@ -59,7 +59,7 @@ impl LevelTuning { for (path, rule) in rulefile_loader.files { if let Some(new_level) = tuning_map.get(rule["id"].as_str().unwrap()) { write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!("path: {}", path), ) @@ -94,7 +94,7 @@ impl LevelTuning { file.write_all(content.as_bytes()).unwrap(); file.flush().unwrap(); write_color_buffer( - BufferWriter::stdout(ColorChoice::Always), + &BufferWriter::stdout(ColorChoice::Always), None, &format!( "level: {} -> {}", From ab524cdccf1da67c6d7bf07652e45f847dac7fe7 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:39:47 +0900 Subject: [PATCH 14/22] to output noisy rule count either enable noisy option value --- src/filter.rs | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/src/filter.rs b/src/filter.rs index 425829e3..41fa26ec 100644 --- a/src/filter.rs +++ b/src/filter.rs @@ -29,18 +29,16 @@ impl RuleExclude { pub fn exclude_ids() -> RuleExclude { let mut exclude_ids = RuleExclude::default(); - if !configs::CONFIG.read().unwrap().args.enable_noisy_rules { - exclude_ids.insert_ids(&format!( - "{}/noisy_rules.txt", - configs::CONFIG - .read() - .unwrap() - .args - .config - .as_path() - .display() - )); - }; + exclude_ids.insert_ids(&format!( + "{}/noisy_rules.txt", + configs::CONFIG + .read() + .unwrap() + .args + .config + .as_path() + .display() + )); exclude_ids.insert_ids(&format!( "{}/exclude_rules.txt", From a3bb30e9a2ce45f2b0e8177d3c189cbab7fd93ac Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 24 Jun 2022 23:53:42 +0900 Subject: [PATCH 15/22] cargo fmt --- src/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 7aeb3b2d..e3c95f2e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -425,7 +425,8 @@ impl App { fn print_contributors(&self) { match fs::read_to_string("./contributors.txt") { Ok(contents) => { - write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &contents).ok(); + write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &contents) + .ok(); } Err(err) => { AlertMessage::alert(&format!("{}", err)).ok(); From 1d6d74a378dc3e7a8bcbf669d8976ed0c08a26a0 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 00:28:07 +0900 Subject: [PATCH 16/22] ignored loading sigmac test yml filein hayabusa-rules #602 --- src/yaml.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/yaml.rs b/src/yaml.rs index 7e35c545..a591e73e 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -165,6 +165,19 @@ impl ParseYaml { return io::Result::Ok(ret); } + // ignore if tool test yml file in hayabusa-rules. + if path + .to_str() + .unwrap() + .contains("rules/tools/sigmac/test_files") + || path + .to_str() + .unwrap() + .contains("rules\\tools\\sigmac\\test_files") + { + return io::Result::Ok(ret); + } + // 個別のファイルの読み込みは即終了としない。 let read_content = self.read_file(path); if read_content.is_err() { From a8925e3651bdf49f99eeba54c630e3f98d4fb09b Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 00:33:16 +0900 Subject: [PATCH 17/22] updated changelog #602 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 77a393ff..c402f4c5 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -37,6 +37,7 @@ - `--rfc-3339` オプションの時刻表示形式を変更した。 (#574) (@hitenkoku) - `-R/ --display-record-id`オプションを`-R/ --hide-record-id`に変更。レコードIDはデフォルトで出力するようにして`-R`オプションを付けた際に表示しないように変更した。(#579) (@hitenkoku) - ルール読み込み時のメッセージを追加した。 (#583) (@hitenkoku) +- `rules/tools/sigmac/testfiles`内のテスト用のymlファイルを読み込まないようにした. (#602) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b2bfd7a..57d29061 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - Updated the default usage and help menu. (#387) (@hitenkoku) - Added default details output based on `rules/config/default_details.txt` when no `details` field in a rule is specified. (i.e. Sigma rules) (#359) (@hitenkoku) - Added saved file size output when `output` is specified. (#595) (@hitenkoku) +- Ignored loading yml file in `rules/tools/sigmac/testfiles` (#602) (@hitenkoku) **Bug Fixes:** From e5df82731a62211b5875246bedd13a0351001ccd Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 00:34:43 +0900 Subject: [PATCH 18/22] updated changelog #602 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57d29061..c6166101 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ - Updated the default usage and help menu. (#387) (@hitenkoku) - Added default details output based on `rules/config/default_details.txt` when no `details` field in a rule is specified. (i.e. Sigma rules) (#359) (@hitenkoku) - Added saved file size output when `output` is specified. (#595) (@hitenkoku) -- Ignored loading yml file in `rules/tools/sigmac/testfiles` (#602) (@hitenkoku) +- Ignored loading yml file in `rules/tools/sigmac/testfiles`. (#602) (@hitenkoku) **Bug Fixes:** From 9b0344197be17b3be3458b153072590924d97d53 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 19:31:17 +0900 Subject: [PATCH 19/22] excluded test files from excluded count --- src/yaml.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/yaml.rs b/src/yaml.rs index a591e73e..0cc2e5ea 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -244,8 +244,11 @@ impl ParseYaml { } else { "noisy" }; - let entry = self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0); - *entry += 1; + // テスト用のルール(ID:000...0)の場合はexcluded ruleのカウントから除外するようにする + if v != "00000000-0000-0000-0000-000000000000" { + let entry = self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0); + *entry += 1; + } if entry_key == "excluded" || (entry_key == "noisy" && !configs::CONFIG.read().unwrap().args.enable_noisy_rules) From b556b2061bd21c3b1fa0d6bf57aee69b5913beb4 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 19:32:38 +0900 Subject: [PATCH 20/22] cargo fmt --- src/yaml.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/yaml.rs b/src/yaml.rs index 0cc2e5ea..fa10930b 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -246,7 +246,8 @@ impl ParseYaml { }; // テスト用のルール(ID:000...0)の場合はexcluded ruleのカウントから除外するようにする if v != "00000000-0000-0000-0000-000000000000" { - let entry = self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0); + let entry = + self.rule_load_cnt.entry(entry_key.to_string()).or_insert(0); *entry += 1; } if entry_key == "excluded" From 20d82598e90ccf665b43558949d044869b7e36e6 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 20:03:26 +0900 Subject: [PATCH 21/22] removed duplicated Deprecated count --- src/yaml.rs | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/src/yaml.rs b/src/yaml.rs index fa10930b..63318981 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -305,19 +305,6 @@ impl ParseYaml { if doc_level_num < args_level_num { return Option::None; } - - if !configs::CONFIG.read().unwrap().args.enable_deprecated_rules { - let rule_status = &yaml_doc["status"].as_str().unwrap_or_default(); - if *rule_status == "deprecated" { - let entry = self - .rule_status_cnt - .entry(rule_status.to_string()) - .or_insert(0); - *entry += 1; - return Option::None; - } - } - Option::Some((filepath, yaml_doc)) }) .collect(); From 4f317e2c0884baa49f4a3429cf88b7f66274b90a Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 20:43:47 +0900 Subject: [PATCH 22/22] fixed test --- src/yaml.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yaml.rs b/src/yaml.rs index 63318981..51d2a162 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -460,7 +460,7 @@ mod tests { yaml.read_dir(path, "", &exclude_ids).unwrap(); assert_eq!( yaml.rule_status_cnt.get("deprecated").unwrap().to_owned(), - 2 + 1 ); } }