CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add test for exclude rules

Browse Source
This commit is contained in:
kazuminn
2021-12-09 00:57:40 +09:00
parent c8473b7668
commit b9831ca38a
4 changed files with 56 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/detections/detection.rs
View File

@@ -11,7 +11,7 @@ use crate::detections::print::MESSAGES;
use crate::detections::rule;
use crate::detections::rule::RuleNode;
use crate::detections::utils::get_serde_number_to_string;
use crate::fillter::RuleFill;
use crate::fillter;
use crate::yaml::ParseYaml;
use std::sync::Arc;
@@ -55,7 +55,7 @@ impl Detection {
pub fn parse_rule_files(
level: String,
rulespath: Option<&str>,
fill_ids: &RuleFill,
fill_ids: &fillter::RuleFill,
) -> Vec<RuleNode> {
// ルールファイルのパースを実行
let mut rulefile_loader = ParseYaml::new();
@@ -275,9 +275,7 @@ impl Detection {
fn test_parse_rule_files() {
let level = "informational";
let opt_rule_path = Some("./test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: std::collections::HashSet::new(),
};
let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path, &fill_ids);
let cole =
Detection::parse_rule_files(level.to_owned(), opt_rule_path, &fillter::exclude_ids());
assert_eq!(5, cole.len());
}

30
src/fillter.rs
View File

@@ -1,6 +1,36 @@
use crate::detections::configs;
use std::collections::HashSet;
use std::fs;
#[derive(Clone, Debug)]
pub struct RuleFill {
pub no_use_rule: HashSet<String>,
}
pub fn exclude_ids() -> RuleFill {
let mut ids = String::from_utf8(fs::read("config/exclude-rules.txt").unwrap()).unwrap();
if !configs::CONFIG
.read()
.unwrap()
.args
.is_present("show-noisyalerts")
{
ids += "\n"; // 改行を入れないとexclude-rulesの一番最後の行とnoisy-rules.txtの一番最後の行が一行にまとめられてしまう。
ids += &String::from_utf8(fs::read("config/noisy-rules.txt").unwrap()).unwrap();
}
let mut fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
for v in ids.split_whitespace() {
let v = v.to_string();
if v.is_empty() {
// 空行は無視する。
continue;
}
fill_ids.no_use_rule.insert(v);
}
return fill_ids;
}

27
src/main.rs
View File

@@ -13,7 +13,6 @@ use hayabusa::{detections::configs, timeline::timeline::Timeline};
use hhmmss::Hhmmss;
use pbr::ProgressBar;
use serde_json::Value;
use std::collections::HashSet;
use std::{
fs::{self, File},
path::PathBuf,
@@ -124,34 +123,10 @@ fn analysis_files(evtx_files: Vec<PathBuf>) {
.to_uppercase();
println!("Analyzing event files: {:?}", evtx_files.len());
//除外ルール前処理
let mut ids = String::from_utf8(fs::read("config/exclude-rules.txt").unwrap()).unwrap();
if !configs::CONFIG
.read()
.unwrap()
.args
.is_present("show-noisyalerts")
{
ids += "\n"; // 改行を入れないとexclude-rulesの一番最後の行とnoisy-rules.txtの一番最後の行が一行にまとめられてしまう。
ids += &String::from_utf8(fs::read("config/noisy-rules.txt").unwrap()).unwrap();
}
let mut fill_ids = fillter::RuleFill {
no_use_rule: HashSet::new(),
};
for v in ids.split_whitespace() {
let v = v.to_string();
if v.is_empty() {
// 空行は無視する。
continue;
}
fill_ids.no_use_rule.insert(v);
}
let rule_files = detection::Detection::parse_rule_files(
level,
configs::CONFIG.read().unwrap().args.value_of("rules"),
&fill_ids,
&fillter::exclude_ids(),
);
let mut pb = ProgressBar::new(evtx_files.len() as u64);
let mut detection = detection::Detection::new(rule_files);

44
src/yaml.rs
View File

@@ -160,6 +160,7 @@ impl ParseYaml {
#[cfg(test)]
mod tests {
use crate::fillter;
use crate::yaml;
use crate::yaml::RuleFill;
use std::collections::HashSet;
@@ -211,10 +212,8 @@ mod tests {
fn test_default_level_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
yaml.read_dir(path.to_path_buf(), &"", &fill_ids).unwrap();
yaml.read_dir(path.to_path_buf(), &"", &fillter::exclude_ids())
.unwrap();
assert_eq!(yaml.files.len(), 5);
}
@@ -222,10 +221,11 @@ mod tests {
fn test_info_level_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
yaml.read_dir(path.to_path_buf(), &"informational", &fill_ids)
yaml.read_dir(
path.to_path_buf(),
&"informational",
&fillter::exclude_ids(),
)
.unwrap();
assert_eq!(yaml.files.len(), 5);
}
@@ -233,10 +233,7 @@ mod tests {
fn test_low_level_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
yaml.read_dir(path.to_path_buf(), &"LOW", &fill_ids)
yaml.read_dir(path.to_path_buf(), &"LOW", &fillter::exclude_ids())
.unwrap();
assert_eq!(yaml.files.len(), 4);
}
@@ -244,10 +241,7 @@ mod tests {
fn test_medium_level_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
yaml.read_dir(path.to_path_buf(), &"MEDIUM", &fill_ids)
yaml.read_dir(path.to_path_buf(), &"MEDIUM", &fillter::exclude_ids())
.unwrap();
assert_eq!(yaml.files.len(), 3);
}
@@ -255,10 +249,7 @@ mod tests {
fn test_high_level_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
yaml.read_dir(path.to_path_buf(), &"HIGH", &fill_ids)
yaml.read_dir(path.to_path_buf(), &"HIGH", &fillter::exclude_ids())
.unwrap();
assert_eq!(yaml.files.len(), 2);
}
@@ -266,11 +257,16 @@ mod tests {
fn test_critical_level_read_yaml() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/level_yaml");
let fill_ids = RuleFill {
no_use_rule: HashSet::new(),
};
yaml.read_dir(path.to_path_buf(), &"CRITICAL", &fill_ids)
yaml.read_dir(path.to_path_buf(), &"CRITICAL", &fillter::exclude_ids())
.unwrap();
assert_eq!(yaml.files.len(), 1);
}
#[test]
fn test_exclude_rules_file() {
let mut yaml = yaml::ParseYaml::new();
let path = Path::new("test_files/rules/exclude_rules");
yaml.read_dir(path.to_path_buf(), &"", &fillter::exclude_ids())
.unwrap();
assert_eq!(yaml.ignorerule_count, 1);
}
}