From 21dbe2c97a1a775a158e78ff0251eb3b48d0cbd8 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Mon, 20 Jun 2022 19:53:44 +0900 Subject: [PATCH 1/7] added add-file-extensions option #586 --- src/detections/configs.rs | 14 ++++++++++++ src/main.rs | 47 ++++++++++++++++++++++----------------- 2 files changed, 41 insertions(+), 20 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 3da13610..18bb3489 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -30,6 +30,8 @@ lazy_static! { pub static ref IDS_REGEX: Regex = Regex::new(r"^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$").unwrap(); pub static ref TERM_SIZE: Option<(Width, Height)> = terminal_size(); + pub static ref TARGET_EXTENSIONS: HashSet = + get_target_extensions(CONFIG.read().unwrap().args.add_file_extentions.as_ref()); } pub struct ConfigReader<'a> { @@ -205,6 +207,10 @@ pub struct Config { /// Print the list of contributors #[clap(long)] pub contributors: bool, + + /// Specify target file extension expclude evtx (ex: evtx_data) + #[clap(long = "add-file-extensions", multiple_values = true)] + pub add_file_extentions: Option>, } impl ConfigReader<'_> { @@ -453,6 +459,14 @@ pub fn load_pivot_keywords(path: &str) { }); } +/// --add-file-extensionsで追加された拡張子から、調査対象ファイルの拡張子セットを返す関数 +pub fn get_target_extensions(arg: Option<&Vec>) -> HashSet { + let mut target_file_extensions: HashSet = + arg.unwrap_or(&Vec::new()).iter().cloned().collect(); + target_file_extensions.insert(String::from("evtx")); + target_file_extensions +} + #[derive(Debug, Clone)] pub struct EventInfo { pub evttitle: String, diff --git a/src/main.rs b/src/main.rs index fcd72e05..543f1b6a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -11,7 +11,7 @@ use chrono::{DateTime, Datelike, Local, TimeZone}; use evtx::{EvtxParser, ParserSettings}; use git2::Repository; use hashbrown::{HashMap, HashSet}; -use hayabusa::detections::configs::{load_pivot_keywords, TargetEventTime}; +use hayabusa::detections::configs::{load_pivot_keywords, TargetEventTime, TARGET_EXTENSIONS}; use hayabusa::detections::detection::{self, EvtxRecordInfo}; use hayabusa::detections::pivot::PivotKeyword; use hayabusa::detections::pivot::PIVOT_KEYWORD; @@ -186,6 +186,7 @@ impl App { .ok(); println!(); } + if configs::CONFIG.read().unwrap().args.live_analysis { let live_analysis_list = self.collect_liveanalysis_files(); if live_analysis_list.is_none() { @@ -193,15 +194,20 @@ impl App { } self.analysis_files(live_analysis_list.unwrap(), &time_filter); } else if let Some(filepath) = &configs::CONFIG.read().unwrap().args.filepath { - if filepath.extension().unwrap_or_else(|| OsStr::new(".")) != "evtx" - || filepath - .as_path() - .file_stem() + if TARGET_EXTENSIONS.contains( + filepath + .extension() .unwrap_or_else(|| OsStr::new(".")) .to_str() - .unwrap() - .trim() - .starts_with('.') + .unwrap(), + ) || filepath + .as_path() + .file_stem() + .unwrap_or_else(|| OsStr::new(".")) + .to_str() + .unwrap() + .trim() + .starts_with('.') { AlertMessage::alert( "--filepath only accepts .evtx files. Hidden files are ignored.", @@ -397,18 +403,19 @@ impl App { ret.extend(subdir_ret); Option::Some(()) }); - } else { - let path_str = path.to_str().unwrap_or(""); - if path_str.ends_with(".evtx") - && !Path::new(path_str) - .file_stem() - .unwrap_or_else(|| OsStr::new(".")) - .to_str() - .unwrap() - .starts_with('.') - { - ret.push(path); - } + } else if TARGET_EXTENSIONS.contains( + path.extension() + .unwrap_or_else(|| OsStr::new("")) + .to_str() + .unwrap(), + ) && !path + .file_stem() + .unwrap_or_else(|| OsStr::new(".")) + .to_str() + .unwrap() + .starts_with('.') + { + ret.push(path); } } From b20116bdeb1f2d9e6d5bf446f676754bcd2beb5b Mon Sep 17 00:00:00 2001 From: DustInDark Date: Mon, 20 Jun 2022 20:07:36 +0900 Subject: [PATCH 2/7] added tests #586 --- src/detections/configs.rs | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 18bb3489..a22ff4ee 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -538,6 +538,7 @@ fn load_eventcode_info(path: &str) -> EventInfoConfig { mod tests { use crate::detections::configs; use chrono::{DateTime, Utc}; + use hashbrown::HashSet; // #[test] // #[ignore] @@ -581,4 +582,26 @@ mod tests { assert!(time_filter.is_target(&start_time)); assert!(time_filter.is_target(&end_time)); } + + #[test] + fn test_get_target_extensions() { + let data = vec!["evtx_data".to_string(), "evtx_stars".to_string()]; + let arg = Some(&data); + let ret = configs::get_target_extensions(arg); + let expect:HashSet<&str> = HashSet::from(["evtx", "evtx_data", "evtx_stars"]); + assert_eq!(ret.len(), expect.len()); + for contents in expect.iter() { + assert!(ret.contains(&contents.to_string())); + } + } + + #[test] + fn no_target_extensions() { + let ret = configs::get_target_extensions(None); + let expect:HashSet<&str> = HashSet::from(["evtx"]); + assert_eq!(ret.len(), expect.len()); + for contents in expect.iter() { + assert!(ret.contains(&contents.to_string())); + } + } } From ab440231ebc22b83ed95c2d32fd1b47ed304e690 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Mon, 20 Jun 2022 20:19:58 +0900 Subject: [PATCH 3/7] updated changelog #586 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index e278da1e..d61e70f1 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -4,7 +4,7 @@ **新機能:** -- XXX +- `--add-file-extensions` オプションの追加。evtx以外の拡張子を指定する事ができます。ただし、ファイルの中身の形式はevtxファイル形式である必要があります。 (#586) (@hitenkoku) **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 176e0ea3..cdd4b149 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **New Features:** -- XXX +- Added `--add-file-extensions` option. You can specify other extension exclude evtx extension. but file contents must be evtx format. (#586) (@hitenkoku) **Enhancements:** From c413bd18724aa05e407fa2dde3b7edda1e77960f Mon Sep 17 00:00:00 2001 From: DustInDark Date: Mon, 20 Jun 2022 20:24:35 +0900 Subject: [PATCH 4/7] updated readme #586 --- README-Japanese.md | 1 + README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README-Japanese.md b/README-Japanese.md index 7fa767f4..d0babec0 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -331,6 +331,7 @@ OPTIONS: --RFC-3339 RFC 3339形式で日付と時刻を出力する (例: 2022-02-22 22:00:00.123456-06:00) --US-military-time 24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する (例: 02-22-2022 22:00:00.123 -06:00) --US-time アメリカ形式で日付と時刻を出力する (例: 02-22-2022 10:00:00.123 PM -06:00) + --add-file-extensions ... evtx以外の拡張子を解析対象に追加する。 (例: evtx_data) --all-tags 出力したCSVファイルにルール内のタグ情報を全て出力する -c, --config ルールフォルダのコンフィグディレクトリ (デフォルト: ./rules/config) --contributors コントリビュータの一覧表示 diff --git a/README.md b/README.md index 799511f2..30f9548c 100644 --- a/README.md +++ b/README.md @@ -329,6 +329,7 @@ OPTIONS: --RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00) --US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00) --US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00) + --add-file-extensions ... Specify target file extension expclude evtx (ex: evtx_data) --all-tags Output all tags when saving to a CSV file -c, --config Specify custom rule config folder (default: ./rules/config) --contributors Print the list of contributors From eca5fe658af26c5dffb2037e3bf99ea75c90b983 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Mon, 20 Jun 2022 20:25:42 +0900 Subject: [PATCH 5/7] cargo fmt --- src/detections/configs.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index a22ff4ee..ddeaddad 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -588,7 +588,7 @@ mod tests { let data = vec!["evtx_data".to_string(), "evtx_stars".to_string()]; let arg = Some(&data); let ret = configs::get_target_extensions(arg); - let expect:HashSet<&str> = HashSet::from(["evtx", "evtx_data", "evtx_stars"]); + let expect: HashSet<&str> = HashSet::from(["evtx", "evtx_data", "evtx_stars"]); assert_eq!(ret.len(), expect.len()); for contents in expect.iter() { assert!(ret.contains(&contents.to_string())); @@ -598,7 +598,7 @@ mod tests { #[test] fn no_target_extensions() { let ret = configs::get_target_extensions(None); - let expect:HashSet<&str> = HashSet::from(["evtx"]); + let expect: HashSet<&str> = HashSet::from(["evtx"]); assert_eq!(ret.len(), expect.len()); for contents in expect.iter() { assert!(ret.contains(&contents.to_string())); From 05abac030f2fbfc4beee09b1fb5197ae6e6fe14a Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 21 Jun 2022 09:47:44 +0900 Subject: [PATCH 6/7] fixed condition #586 --- src/main.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 543f1b6a..bf6a4797 100644 --- a/src/main.rs +++ b/src/main.rs @@ -194,7 +194,7 @@ impl App { } self.analysis_files(live_analysis_list.unwrap(), &time_filter); } else if let Some(filepath) = &configs::CONFIG.read().unwrap().args.filepath { - if TARGET_EXTENSIONS.contains( + if !TARGET_EXTENSIONS.contains( filepath .extension() .unwrap_or_else(|| OsStr::new(".")) From e37371a0773095828b21ec9e318c0e63a3551910 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:00:32 +0900 Subject: [PATCH 7/7] update readme and option name --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- README-Japanese.md | 2 +- README.md | 2 +- src/detections/configs.rs | 10 +++++----- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index d61e70f1..30ac4b47 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -4,7 +4,7 @@ **新機能:** -- `--add-file-extensions` オプションの追加。evtx以外の拡張子を指定する事ができます。ただし、ファイルの中身の形式はevtxファイル形式である必要があります。 (#586) (@hitenkoku) +- `--target-file-ext` オプションの追加。evtx以外の拡張子を指定する事ができます。ただし、ファイルの中身の形式はevtxファイル形式である必要があります。 (#586) (@hitenkoku) **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index cdd4b149..5b29f0f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **New Features:** -- Added `--add-file-extensions` option. You can specify other extension exclude evtx extension. but file contents must be evtx format. (#586) (@hitenkoku) +- Added `--target-file-ext` option. You can specify additional file extensions to scan in addtition to the default `.evtx` files. For example, `--target-file-ext evtx_data` or multiple extensions with `--target-file-ext evtx1 evtx2`. (#586) (@hitenkoku) **Enhancements:** diff --git a/README-Japanese.md b/README-Japanese.md index d0babec0..a27bb786 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -331,7 +331,7 @@ OPTIONS: --RFC-3339 RFC 3339形式で日付と時刻を出力する (例: 2022-02-22 22:00:00.123456-06:00) --US-military-time 24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する (例: 02-22-2022 22:00:00.123 -06:00) --US-time アメリカ形式で日付と時刻を出力する (例: 02-22-2022 10:00:00.123 PM -06:00) - --add-file-extensions ... evtx以外の拡張子を解析対象に追加する。 (例: evtx_data) + --target-file-ext ... evtx以外の拡張子を解析対象に追加する。 (例1: evtx_data 例2:evtx1 evtx2) --all-tags 出力したCSVファイルにルール内のタグ情報を全て出力する -c, --config ルールフォルダのコンフィグディレクトリ (デフォルト: ./rules/config) --contributors コントリビュータの一覧表示 diff --git a/README.md b/README.md index 30f9548c..15546cb2 100644 --- a/README.md +++ b/README.md @@ -329,7 +329,7 @@ OPTIONS: --RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00) --US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00) --US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00) - --add-file-extensions ... Specify target file extension expclude evtx (ex: evtx_data) + --target-file-ext ... Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2) --all-tags Output all tags when saving to a CSV file -c, --config Specify custom rule config folder (default: ./rules/config) --contributors Print the list of contributors diff --git a/src/detections/configs.rs b/src/detections/configs.rs index ddeaddad..883d7858 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -31,7 +31,7 @@ lazy_static! { Regex::new(r"^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$").unwrap(); pub static ref TERM_SIZE: Option<(Width, Height)> = terminal_size(); pub static ref TARGET_EXTENSIONS: HashSet = - get_target_extensions(CONFIG.read().unwrap().args.add_file_extentions.as_ref()); + get_target_extensions(CONFIG.read().unwrap().args.evtx_file_ext.as_ref()); } pub struct ConfigReader<'a> { @@ -208,9 +208,9 @@ pub struct Config { #[clap(long)] pub contributors: bool, - /// Specify target file extension expclude evtx (ex: evtx_data) - #[clap(long = "add-file-extensions", multiple_values = true)] - pub add_file_extentions: Option>, + /// Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2) + #[clap(long = "target-file-ext", multiple_values = true)] + pub evtx_file_ext: Option>, } impl ConfigReader<'_> { @@ -459,7 +459,7 @@ pub fn load_pivot_keywords(path: &str) { }); } -/// --add-file-extensionsで追加された拡張子から、調査対象ファイルの拡張子セットを返す関数 +/// --target-file-extで追加された拡張子から、調査対象ファイルの拡張子セットを返す関数 pub fn get_target_extensions(arg: Option<&Vec>) -> HashSet { let mut target_file_extensions: HashSet = arg.unwrap_or(&Vec::new()).iter().cloned().collect();