CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Channel column and Channel Abbreviations (#508)

Browse Source 
* added Channel output #504

* added test #504

* fixed clippy warnings

* fixed convert serde value to Channel #504

* added channel output config #504

* added doc #504

* added Channel column and Channel addreviation

* fixed file name typo

* changed channel position #504

* fixed markdown warnings in CHANGELOG

* readme update

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
This commit is contained in:
DustInDark
2022-04-20 16:12:53 +09:00
committed by GitHub
parent dbf3c55bc4
commit b43eb853e9
9 changed files with 175 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG-Japanese.md
View File

@@ -1,7 +1,9 @@
# 変更点
## v1.2.0 [2022/04/15] Black Hat Asia Arsenal 2022 Preview Release
**新機能:**
- `-C / --config` オプションの追加。検知ルールのコンフィグを指定することが可能。(Windowsでのライブ調査に便利) (@hitenkoku)
- `|equalsfield` と記載することでルール内で二つのフィールドの値が一致するかを記載に対応。 (@hach1yon)
- `-p / --pivot-keywords-list` オプションの追加。攻撃されたマシン名や疑わしいユーザ名などの情報をピボットキーワードリストとして出力する。 (@kazuminn)
@@ -9,6 +11,7 @@
- `--level-tuning` オプションの追加。ルールの検知ファイルを設定したコンフィグファイルに従って検知レベルをチューニングすることが可能(@itib@hitenkoku)
**改善:**
- 検知ルールとドキュメントの更新。 (@YamatoSecurity)
- MacとLinuxのバイナリに必要なOpenSSLライブラリを静的コンパイルした。 (@YamatoSecurity)
- タブ等の文字が含まれたフィールドに対しての検知性能の改善。 (@hach1yon@hitenkoku)
@@ -18,19 +21,24 @@
- イベントIDとタイトルが記載されたコンフィグファイルの名前を `timeline_event_info.txt` から `statistics_event_info.txt`に変更。 (@YamatoSecurity@garigariganzy)
- 64bit Windowsで32bit版のバイナリを実行しないように修正(@hitenkoku)
- MITRE ATT&CKのデータの出力を`output_tag.txt`で修正できるように修正(@hitenkoku)
- 出力にChannel名のカラムを追加(@hitenkoku)
**バグ修正:**
- `.git` フォルダ内にある `.yml` ファイルがパースエラーを引き起こしていた問題の修正。 (@hitenkoku)
- テスト用のルールファイルの読み込みエラーで不必要な改行が発生していた問題の修正。 (@hitenkoku)
- Windows Terminalのバグで標準出力が途中で止まる場合がありましたが、Hayabusa側で解決しました。 (@hitenkoku)
## v1.1.0 [2022/03/03]
**新機能:**
- `-r / --rules`オプションで一つのルール指定が可能。(ルールをテストする際に便利!) (@kazuminn)
- ルール更新オプション (`-u / --update-rules`): [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules)レポジトリにある最新のルールに更新できる。 (@hitenkoku)
- ライブ調査オプション (`-l / --live-analysis`): Windowsイベントログディレクトリを指定しないで、楽にWindows端末でライブ調査ができる。(@hitenkoku)
**改善:**
- ドキュメンテーションの更新。 (@kazuminn@itiB@hitenkoku@YamatoSecurity)
- ルールの更新。(Hayabusaルール: 20個以上、Sigmaルール: 200個以上) (@YamatoSecurity)
- Windowsバイナリは静的でコンパイルしているので、Visual C++ 再頒布可能パッケージをインストールする必要はない。(@hitenkoku)
@@ -42,12 +50,15 @@
- Cargo crateの更新。 (@YamatoSecurity)
**バグ修正:**
- `cargo update`がより安定するために、clapのバージョンを固定した。(@hitenkoku)
- フィールドのタブや改行がある場合に、ルールが検知しなかったので、修正した。(@hitenkoku)
## v1.0.0-Release 2 [2022/01/27]
- アンチウィルスに誤検知されたExcelの結果ファイルの削除。(@YamatoSecurity)
- Rustのevtxライブラリを0.7.2に更新。 (@YamatoSecurity)
## v1.0.0 [2021/12/25]
- 最初のリリース

10
CHANGELOG.md
View File

@@ -3,6 +3,7 @@
## v1.2.0 [2022/04/15] Black Hat Asia Arsenal 2022 Preview Release
**New Features:**
- Specify config directory (`-C / --config`): When specifying a different rules directory, the rules config directory will still be the default `rules/config`, so this option is useful when you want to test rules and their config files in a different directory. (@hitenkoku)
- `|equalsfield` aggregator: In order to write rules that compare if two fields are equal or not. (@hach1yon)
- Pivot keyword list generator feature (`-p / --pivot-keywords-list`): Will generate a list of keywords to grep for to quickly identify compromised machines, suspicious usernames, files, etc... (@kazuminn)
@@ -10,6 +11,7 @@
- `--level-tuning` option: You can tune the risk `level` in hayabusa and sigma rules to your environment. (@itib and @hitenkoku)
**Enhancements:**
- Updated detection rules and documentation. (@YamatoSecurity)
- Mac and Linux binaries now statically compile the OpenSSL libraries. (@YamatoSecurity)
- Performance and accuracy improvement for fields with tabs, etc... in them. (@hach1yon and @hitenkoku)
@@ -19,19 +21,24 @@
- Updated the event ID and title config file (`timeline_event_info.txt`) and changed the name to `statistics_event_info.txt`. (@YamatoSecurity and @garigariganzy)
- 32-bit Hayabusa Windows binaries are now prevented from running on 64-bit Windows as it would cause unexpected results. (@hitenkoku)
- MITRE ATT&CK tag output can be customized in `output_tag.txt`. (@hitenkoku)
- Added Channel column output. (@hitenkoku)
**Bug Fixes:**
- `.yml` files in the `.git` folder would cause parse errors so they are now ignored. (@hitenkoku)
- Removed unnecessary newline due to loading test file rules. (@hitenkoku)
- Fixed output stopping in Windows Terminal due a bug in Terminal itself. (@hitenkoku)
## v1.1.0 [2022/03/03]
**New Features:**
- Can specify a single rule with the `-r / --rules` option. (Great for testing rules!) (@kazuminn)
- Rule update option (`-u / --update-rules`): Update to the latest rules in the [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) repository. (@hitenkoku)
- Live analysis option (`-l / --live-analysis`): Can easily perform live analysis on Windows machines without specifying the Windows event log directory. (@hitenkoku)
**Enhancements:**
- Updated documentation. (@kazuminn , @hitenkoku , @YamatoSecurity)
- Updated rules. (20+ Hayabusa rules, 200+ Sigma rules) (@YamatoSecurity)
- Windows binaries are now statically compiled so installing Visual C++ Redistributable is not required. (@hitenkoku)
@@ -43,12 +50,15 @@
- Updated cargo crates. (@YamatoSecurity)
**Bug Fixes:**
- Made the clap library version static to make `cargo update` more stable. (@hitenkoku)
- Some rules were not alerting if there were tabs or carriage returns in the fields. (@hitenkoku)
## v1.0.0-Release 2 [2022/01/27]
- Removed Excel result sample files as they were being flagged by anti-virus. (@YamatoSecurity)
- Updated the Rust evtx library to 0.7.2 (@YamatoSecurity)
## v1.0.0 [2021/12/25]
- Initial release.

34
README-Japanese.md
View File

@@ -56,6 +56,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/)
- [サンプルevtxファイルでHayabusaをテストする](#サンプルevtxファイルでhayabusaをテストする)
- [Hayabusaの出力](#hayabusaの出力)
- [MITRE ATT&CK戦術の省略](#mitre-attck戦術の省略)
- [Channel情報の省略](#channel情報の省略)
- [プログレスバー](#プログレスバー)
- [標準出力へのカラー設定](#標準出力へのカラー設定)
- [Hayabusaルール](#hayabusaルール)
@@ -460,6 +461,7 @@ Hayabusaの結果を標準出力に表示しているときデフォルト
* `Timestamp`: デフォルトでは`YYYY-MM-DD HH:mm:ss.sss +hh:mm`形式になっています。イベントログの`<Event><System><TimeCreated SystemTime>`フィールドから来ています。デフォルトのタイムゾーンはローカルのタイムゾーンになりますが、`--utc` オプションで UTC に変更することができます。
* `Computer`: イベントログの`<Event><System><Computer>`フィールドから来ています。
* `Channel`: ログ名です。イベントログの`<Event><System><EventID>`フィールドから来ています。
* `Event ID`: イベントログの`<Event><System><EventID>`フィールドから来ています。
* `Level`: YML検知ルールの`level`フィールドから来ています。(例:`informational`, `low`, `medium`, `high`, `critical`) デフォルトでは、すべてのレベルのアラートとイベントが出力されますが、`-m`オプションで最低のレベルを指定することができます。例えば`-m high`オプションを付けると、`high``critical`アラートしか出力されません。
* `Title`: YML検知ルールの`title`フィールドから来ています。
@@ -493,6 +495,38 @@ CSVファイルとして保存する場合、以下の列が追加されます:
* `Exfil` : Exfiltration (持ち出し)
* `Impact` : Impact (影響)
## Channel情報の省略
簡潔に出力するためにChannelの表示を以下のように省略しています。
`config/channel_abbreviations.txt`の設定ファイルで自由に編集できます。
* `Application` : App
* `DNS Server` : DNS-Svr
* `Microsoft-ServiceBus-Client` : SvcBusCli
* `Microsoft-Windows-CodeIntegrity/Operational` : CodeInteg
* `Microsoft-Windows-LDAP-Client/Debug` : LDAP-Cli
* `Microsoft-Windows-AppLocker/MSI and Script` : AppLocker
* `Microsoft-Windows-AppLocker/EXE and DLL` : AppLocker
* `Microsoft-Windows-AppLocker/Packaged app-Deployment` : AppLocker
* `Microsoft-Windows-AppLocker/Packaged app-Execution` : AppLocker
* `Microsoft-Windows-Bits-Client/Operational` : BitsCli
* `Microsoft-Windows-DHCP-Server/Operational` : DHCP-Svr
* `Microsoft-Windows-DriverFrameworks-UserMode/Operational` : DvrFmwk
* `Microsoft-Windows-NTLM/Operational` : NTLM
* `Microsoft-Windows-SmbClient/Security` : SmbCliSec
* `Microsoft-Windows-Sysmon/Operational` : Sysmon
* `Microsoft-Windows-TaskScheduler/Operational` : TaskSch
* `Microsoft-Windows-PrintService/Admin` : PrintAdm
* `Microsoft-Windows-PrintService/Operational` : PrintOp
* `Microsoft-Windows-PowerShell/Operational` : PwSh
* `Microsoft-Windows-Windows Defender/Operational` : Defender
* `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall` : Firewall
* `Microsoft-Windows-WMI-Activity/Operational` : WMI
* `MSExchange Management` : Exchange
* `Security` : Sec
* `System` : Sys
* `Windows PowerShell` : WinPwSh
## プログレスバー
プログレス・バーは、複数のevtxファイルに対してのみ機能します。

34
README.md
View File

@@ -56,6 +56,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre
- [Testing Hayabusa on Sample Evtx Files](#testing-hayabusa-on-sample-evtx-files)
- [Hayabusa Output](#hayabusa-output)
- [MITRE ATT&CK Tactics Abbreviations](#mitre-attck-tactics-abbreviations)
- [Channel Abbreviations](#channel-abbreviations)
- [Progress Bar](#progress-bar)
- [Color Output](#color-output)
- [Hayabusa Rules](#hayabusa-rules)
@@ -453,6 +454,7 @@ When hayabusa output is being displayed to the screen (the default), it will dis
* `Timestamp`: Default is `YYYY-MM-DD HH:mm:ss.sss +hh:mm` format. This comes from the `<Event><System><TimeCreated SystemTime>` field in the event log. The default timezone will be the local timezone but you can change the timezone to UTC with the `--utc` option.
* `Computer`: This comes from the `<Event><System><Computer>` field in the event log.
* `Channel`: The name of log. This comes from the `<Event><System><Channel>` field in the event log.
* `Event ID`: This comes from the `<Event><System><EventID>` field in the event log.
* `Level`: This comes from the `level` field in the YML detection rule. (`informational`, `low`, `medium`, `high`, `critical`) By default, all level alerts will be displayed but you can set the minimum level with `-m`. For example, you can set `-m high`) in order to only scan for and display high and critical alerts.
* `Title`: This comes from the `title` field in the YML detection rule.
@@ -486,6 +488,38 @@ You can freely edit these abbreviations in the `config/output_tag.txt` configura
* `Exfil` : Exfiltration
* `Impact` : Impact
## Channel Abbreviations
In order to save space, we use the following abbreviations when displaying Channel.
You can freely edit these abbreviations in the `config/config/channel_abbreviations.txt` configuration file.
* `Application` : App
* `DNS Server` : DNS-Svr
* `Microsoft-ServiceBus-Client` : SvcBusCli
* `Microsoft-Windows-CodeIntegrity/Operational` : CodeInteg
* `Microsoft-Windows-LDAP-Client/Debug` : LDAP-Cli
* `Microsoft-Windows-AppLocker/MSI and Script` : AppLocker
* `Microsoft-Windows-AppLocker/EXE and DLL` : AppLocker
* `Microsoft-Windows-AppLocker/Packaged app-Deployment` : AppLocker
* `Microsoft-Windows-AppLocker/Packaged app-Execution` : AppLocker
* `Microsoft-Windows-Bits-Client/Operational` : BitsCli
* `Microsoft-Windows-DHCP-Server/Operational` : DHCP-Svr
* `Microsoft-Windows-DriverFrameworks-UserMode/Operational` : DvrFmwk
* `Microsoft-Windows-NTLM/Operational` : NTLM
* `Microsoft-Windows-SmbClient/Security` : SmbCliSec
* `Microsoft-Windows-Sysmon/Operational` : Sysmon
* `Microsoft-Windows-TaskScheduler/Operational` : TaskSch
* `Microsoft-Windows-PrintService/Admin` : PrintAdm
* `Microsoft-Windows-PrintService/Operational` : PrintOp
* `Microsoft-Windows-PowerShell/Operational` : PwSh
* `Microsoft-Windows-Windows Defender/Operational` : Defender
* `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall` : Firewall
* `Microsoft-Windows-WMI-Activity/Operational` : WMI
* `MSExchange Management` : Exchange
* `Security` : Sec
* `System` : Sys
* `Windows PowerShell` : WinPwSh
## Progress Bar
The progress bar will only work with multiple evtx files.

27
config/channel_abbreviations.txt Normal file
View File

@@ -0,0 +1,27 @@
Channel,Abbreviation
Application,App
DNS Server,DNS-Svr
Microsoft-ServiceBus-Client,SvcBusCli
Microsoft-Windows-CodeIntegrity/Operational,CodeInteg
Microsoft-Windows-LDAP-Client/Debug,LDAP-Cli
Microsoft-Windows-AppLocker/MSI and Script,AppLocker
Microsoft-Windows-AppLocker/EXE and DLL,AppLocker
Microsoft-Windows-AppLocker/Packaged app-Deployment,AppLocker
Microsoft-Windows-AppLocker/Packaged app-Execution,AppLocker
Microsoft-Windows-Bits-Client/Operational,BitsCli
Microsoft-Windows-DHCP-Server/Operational,DHCP-Svr
Microsoft-Windows-DriverFrameworks-UserMode/Operational,DvrFmwk
Microsoft-Windows-NTLM/Operational,NTLM
Microsoft-Windows-SmbClient/Security,SmbCliSec
Microsoft-Windows-Sysmon/Operational,Sysmon
Microsoft-Windows-TaskScheduler/Operational,TaskSch
Microsoft-Windows-PrintService/Admin,PrintAdm
Microsoft-Windows-PrintService/Operational,PrintOp
Microsoft-Windows-PowerShell/Operational,PwSh
Microsoft-Windows-Windows Defender/Operational,Defender
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Firewall
Microsoft-Windows-WMI-Activity/Operational,WMI
MSExchange Management,Exchange
Security,Sec
System,Sys
Windows PowerShell,WinPwSh

45
src/afterfact.rs
View File

@@ -19,6 +19,7 @@ use std::process;
pub struct CsvFormat<'a> {
timestamp: &'a str,
computer: &'a str,
channel: &'a str,
event_i_d: &'a str,
level: &'a str,
mitre_attack: &'a str,
@@ -35,6 +36,7 @@ pub struct CsvFormat<'a> {
pub struct DisplayFormat<'a> {
timestamp: &'a str,
pub computer: &'a str,
pub channel: &'a str,
pub event_i_d: &'a str,
pub level: &'a str,
pub rule_title: &'a str,
@@ -167,6 +169,7 @@ fn emit_csv<W: std::io::Write>(
level: &_format_cell(&level, ColPos::Other, colors),
computer: &_format_cell(&detect_info.computername, ColPos::Other, colors),
event_i_d: &_format_cell(&detect_info.eventid, ColPos::Other, colors),
channel: &_format_cell(&detect_info.channel, ColPos::Other, colors),
rule_title: &_format_cell(&detect_info.alert, ColPos::Other, colors),
details: &_format_cell(&details, ColPos::Other, colors),
record_information: recinfo.as_deref(),
@@ -179,6 +182,7 @@ fn emit_csv<W: std::io::Write>(
level: &level,
computer: &detect_info.computername,
event_i_d: &detect_info.eventid,
channel: &detect_info.channel,
mitre_attack: &detect_info.tag_info,
rule_title: &detect_info.alert,
details: &detect_info.detail,
@@ -323,6 +327,7 @@ mod tests {
use crate::afterfact::emit_csv;
use crate::detections::print;
use crate::detections::print::DetectInfo;
use crate::detections::print::CH_CONFIG;
use chrono::{Local, TimeZone, Utc};
use serde_json::Value;
use std::fs::File;
@@ -337,12 +342,13 @@ mod tests {
}
fn test_emit_csv_output() {
let testfilepath: &str = "test.evtx";
let testrulepath: &str = "test-rule.yml";
let test_filepath: &str = "test.evtx";
let test_rulepath: &str = "test-rule.yml";
let test_title = "test_title";
let test_level = "high";
let test_computername = "testcomputer";
let test_eventid = "1111";
let test_channel = "Sec";
let output = "pokepoke";
let test_attack = "execution/txxxx.yyy";
let test_recinfo = "record_infoinfo11";
@@ -368,11 +374,15 @@ mod tests {
&event,
output.to_string(),
DetectInfo {
filepath: testfilepath.to_string(),
rulepath: testrulepath.to_string(),
filepath: test_filepath.to_string(),
rulepath: test_rulepath.to_string(),
level: test_level.to_string(),
computername: test_computername.to_string(),
eventid: test_eventid.to_string(),
channel: CH_CONFIG
.get("Security")
.unwrap_or(&String::default())
.to_string(),
alert: test_title.to_string(),
detail: String::default(),
tag_info: test_attack.to_string(),
@@ -385,7 +395,7 @@ mod tests {
.unwrap();
let expect_tz = expect_time.with_timezone(&Local);
let expect =
"Timestamp,Computer,EventID,Level,MitreAttack,RuleTitle,Details,RecordInformation,RulePath,FilePath\n"
"Timestamp,Computer,Channel,EventID,Level,MitreAttack,RuleTitle,Details,RecordInformation,RulePath,FilePath\n"
.to_string()
+ &expect_tz
.clone()
@@ -394,6 +404,8 @@ mod tests {
+ ","
+ test_computername
+ ","
+ test_channel
+ ","
+ test_eventid
+ ","
+ test_level
@@ -406,9 +418,9 @@ mod tests {
+ ","
+ test_recinfo
+ ","
+ testrulepath
+ test_rulepath
+ ","
+ testfilepath
+ test_filepath
+ "\n";
let mut file: Box<dyn io::Write> = Box::new(File::create("./test_emit_csv.csv").unwrap());
assert!(emit_csv(&mut file, false, None).is_ok());
@@ -423,12 +435,13 @@ mod tests {
}
fn check_emit_csv_display() {
let testfilepath: &str = "test2.evtx";
let testrulepath: &str = "test-rule2.yml";
let test_filepath: &str = "test2.evtx";
let test_rulepath: &str = "test-rule2.yml";
let test_title = "test_title2";
let test_level = "medium";
let test_computername = "testcomputer2";
let test_eventid = "2222";
let expect_channel = "Sysmon";
let output = "displaytest";
let test_attack = "execution/txxxx.zzz";
{
@@ -453,11 +466,15 @@ mod tests {
&event,
output.to_string(),
DetectInfo {
filepath: testfilepath.to_string(),
rulepath: testrulepath.to_string(),
filepath: test_filepath.to_string(),
rulepath: test_rulepath.to_string(),
level: test_level.to_string(),
computername: test_computername.to_string(),
eventid: test_eventid.to_string(),
channel: CH_CONFIG
.get("Microsoft-Windows-Sysmon/Operational")
.unwrap_or(&String::default())
.to_string(),
alert: test_title.to_string(),
detail: String::default(),
tag_info: test_attack.to_string(),
@@ -471,7 +488,7 @@ mod tests {
.unwrap();
let expect_tz = expect_time.with_timezone(&Local);
let expect_header =
"Timestamp|Computer|EventID|Level|RuleTitle|Details|RecordInformation\n";
"Timestamp|Computer|Channel|EventID|Level|RuleTitle|Details|RecordInformation\n";
let expect_colored = expect_header.to_string()
+ &get_white_color_string(
&expect_tz
@@ -482,6 +499,8 @@ mod tests {
+ " | "
+ &get_white_color_string(test_computername)
+ " | "
+ &get_white_color_string(expect_channel)
+ " | "
+ &get_white_color_string(test_eventid)
+ " | "
+ &get_white_color_string(test_level)
@@ -500,6 +519,8 @@ mod tests {
+ " | "
+ test_computername
+ " | "
+ expect_channel
+ " | "
+ test_eventid
+ " | "
+ test_level

10
src/detections/detection.rs
View File

@@ -9,7 +9,7 @@ use crate::detections::print::MESSAGES;
use crate::detections::print::PIVOT_KEYWORD_LIST_FLAG;
use crate::detections::print::QUIET_ERRORS_FLAG;
use crate::detections::print::STATISTICS_FLAG;
use crate::detections::print::TAGS_CONFIG;
use crate::detections::print::{CH_CONFIG, TAGS_CONFIG};
use crate::detections::rule;
use crate::detections::rule::AggResult;
use crate::detections::rule::RuleNode;
@@ -219,6 +219,13 @@ impl Detection {
.replace('\"', ""),
eventid: get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"])
.unwrap_or_else(|| "-".to_owned()),
channel: CH_CONFIG
.get(
&get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"])
.unwrap_or_default(),
)
.unwrap_or(&String::default())
.to_string(),
alert: rule.yaml["title"].as_str().unwrap_or("").to_string(),
detail: String::default(),
tag_info: tag_info.join(" | "),
@@ -252,6 +259,7 @@ impl Detection {
level: rule.yaml["level"].as_str().unwrap_or("").to_owned(),
computername: "-".to_owned(),
eventid: "-".to_owned(),
channel: "-".to_owned(),
alert: rule.yaml["title"].as_str().unwrap_or("").to_owned(),
detail: output,
record_information: rec_info,

19
src/detections/print.rs
View File

@@ -28,6 +28,7 @@ pub struct DetectInfo {
pub level: String,
pub computername: String,
pub eventid: String,
pub channel: String,
pub alert: String,
pub detail: String,
pub tag_info: String,
@@ -55,7 +56,9 @@ lazy_static! {
.args
.is_present("statistics");
pub static ref TAGS_CONFIG: HashMap<String, String> =
Message::create_tags_config("config/output_tag.txt");
Message::create_output_filter_config("config/output_tag.txt");
pub static ref CH_CONFIG: HashMap<String, String> =
Message::create_output_filter_config("config/channel_abbreviations.txt");
pub static ref PIVOT_KEYWORD_LIST_FLAG: bool = configs::CONFIG
.read()
.unwrap()
@@ -77,7 +80,7 @@ impl Message {
/// ファイルパスで記載されたtagでのフル名、表示の際に置き換えられる文字列のHashMapを作成する関数。tagではこのHashMapのキーに対応しない出力は出力しないものとする
/// ex. attack.impact,Impact
pub fn create_tags_config(path: &str) -> HashMap<String, String> {
pub fn create_output_filter_config(path: &str) -> HashMap<String, String> {
let read_result = utils::read_csv(path);
if read_result.is_err() {
AlertMessage::alert(
@@ -283,6 +286,7 @@ mod tests {
level: "high".to_string(),
computername: "testcomputer1".to_string(),
eventid: "1".to_string(),
channel: String::default(),
alert: "test1".to_string(),
detail: String::default(),
tag_info: "txxx.001".to_string(),
@@ -314,6 +318,7 @@ mod tests {
level: "high".to_string(),
computername: "testcomputer2".to_string(),
eventid: "2".to_string(),
channel: String::default(),
alert: "test2".to_string(),
detail: String::default(),
tag_info: "txxx.002".to_string(),
@@ -345,6 +350,7 @@ mod tests {
level: "high".to_string(),
computername: "testcomputer3".to_string(),
eventid: "3".to_string(),
channel: String::default(),
alert: "test3".to_string(),
detail: String::default(),
tag_info: "txxx.003".to_string(),
@@ -371,6 +377,7 @@ mod tests {
level: "medium".to_string(),
computername: "testcomputer4".to_string(),
eventid: "4".to_string(),
channel: String::default(),
alert: "test4".to_string(),
detail: String::default(),
tag_info: "txxx.004".to_string(),
@@ -380,7 +387,7 @@ mod tests {
let display = format!("{}", format_args!("{:?}", message));
println!("display::::{}", display);
let expect = "Message { map: {1970-01-01T00:00:00Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule4\", level: \"medium\", computername: \"testcomputer4\", eventid: \"4\", alert: \"test4\", detail: \"CommandLine4: hoge\", tag_info: \"txxx.004\", record_information: Some(\"record_information4\") }], 1996-02-27T01:05:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule\", level: \"high\", computername: \"testcomputer1\", eventid: \"1\", alert: \"test1\", detail: \"CommandLine1: hoge\", tag_info: \"txxx.001\", record_information: Some(\"record_information1\") }, DetectInfo { filepath: \"a\", rulepath: \"test_rule2\", level: \"high\", computername: \"testcomputer2\", eventid: \"2\", alert: \"test2\", detail: \"CommandLine2: hoge\", tag_info: \"txxx.002\", record_information: Some(\"record_information2\") }], 2000-01-21T09:06:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule3\", level: \"high\", computername: \"testcomputer3\", eventid: \"3\", alert: \"test3\", detail: \"CommandLine3: hoge\", tag_info: \"txxx.003\", record_information: Some(\"record_information3\") }]} }";
let expect = "Message { map: {1970-01-01T00:00:00Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule4\", level: \"medium\", computername: \"testcomputer4\", eventid: \"4\", channel: \"\", alert: \"test4\", detail: \"CommandLine4: hoge\", tag_info: \"txxx.004\", record_information: Some(\"record_information4\") }], 1996-02-27T01:05:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule\", level: \"high\", computername: \"testcomputer1\", eventid: \"1\", channel: \"\", alert: \"test1\", detail: \"CommandLine1: hoge\", tag_info: \"txxx.001\", record_information: Some(\"record_information1\") }, DetectInfo { filepath: \"a\", rulepath: \"test_rule2\", level: \"high\", computername: \"testcomputer2\", eventid: \"2\", channel: \"\", alert: \"test2\", detail: \"CommandLine2: hoge\", tag_info: \"txxx.002\", record_information: Some(\"record_information2\") }], 2000-01-21T09:06:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule3\", level: \"high\", computername: \"testcomputer3\", eventid: \"3\", channel: \"\", alert: \"test3\", detail: \"CommandLine3: hoge\", tag_info: \"txxx.003\", record_information: Some(\"record_information3\") }]} }";
assert_eq!(display, expect);
}
@@ -474,7 +481,7 @@ mod tests {
);
}
#[test]
/// outputで指定されているキー(eventkey_alias.txt内で設定済み)が対象のレコード内に該当する情報がない場合の出力テスト
/// output test when no exist info in target record output and described key-value data in eventkey_alias.txt
fn test_parse_message_not_exist_value_in_record() {
let mut message = Message::new();
let json_str = r##"
@@ -502,9 +509,9 @@ mod tests {
);
}
#[test]
/// output_tag.txtの読み込みテスト
/// test of loading output filter config by output_tag.txt
fn test_load_output_tag() {
let actual = Message::create_tags_config("test_files/config/output_tag.txt");
let actual = Message::create_output_filter_config("test_files/config/output_tag.txt");
let expected: HashMap<String, String> = HashMap::from([
("attack.impact".to_string(), "Impact".to_string()),
("xxx".to_string(), "yyy".to_string()),

8
src/detections/utils.rs
View File

@@ -184,11 +184,11 @@ pub fn get_event_value<'a>(key: &str, event_value: &'a Value) -> Option<&'a Valu
pub fn get_thread_num() -> usize {
let def_thread_num_str = num_cpus::get().to_string();
let conf = configs::CONFIG.read().unwrap();
let threadnum = &conf
.args
conf.args
.value_of("thread-number")
.unwrap_or(def_thread_num_str.as_str());
threadnum.parse::<usize>().unwrap()
.unwrap_or(def_thread_num_str.as_str())
.parse::<usize>()
.unwrap()
}
pub fn create_tokio_runtime() -> Runtime {